Disable Conan registry in FIPS mode (!91452) · Merge requests · GitLab.org / GitLab

Steve Abrams requested to merge 366547-conan-fips into master Jun 30, 2022

What does this MR do and why?

To be FIPS compliant, GitLab cannot make use of MD5 values. The Conan package registry has a few endpoints that rely on the use of MD5 values. This is defined by the Conan client, so it is not something we have control over. Without these endpoints, Conan installations and uploads will fail, so in FIPS mode, the Conan registry is broken with no workaround.

For now, we have decided to disable the Conan registry in FIPS mode.

This MR disables the Conan registry when FIPS is enabled:

All API endpoints return 404 Not Found

We have implemented Conan 1.0 (v1 API) and it does look like Conan 2.0 (v2 API) does not depend on the use of MD5 values, however that release is still Alpha. We will revisit enabling Conan in FIPS mode when we implement the Conan v2 API.

Screenshots or screen recordings

N/A

How to set up and validate locally

N/A - it is not easy to set up a FIPS environment locally

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Related to #366547 (closed)

Edited Jun 30, 2022 by Steve Abrams

Disable Conan registry in FIPS mode

What does this MR do and why?

Screenshots or screen recordings

How to set up and validate locally

MR acceptance checklist

Merge request reports