Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mention GODEBUG=fips140 in FIPS docs #1508

Open
wants to merge 3 commits into
base: microsoft/main
Choose a base branch
from
Open

Mention GODEBUG=fips140 in FIPS docs #1508

wants to merge 3 commits into from

Conversation

qmuntal
Copy link
Member

@qmuntal qmuntal commented Jan 20, 2025

For #1445.

@qmuntal qmuntal requested a review from a team as a code owner January 20, 2025 13:32
karianna
karianna approved these changes Jan 21, 2025
View reviewed changes
eng/doc/fips/README.md Outdated Show resolved Hide resolved
@qmuntal qmuntal requested review from dagood and gdams January 21, 2025 06:30
dagood
dagood requested changes Jan 22, 2025
View reviewed changes
Copy link
Member

@dagood dagood left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this holds up to the claim that the doc describes all in-support versions of Go. Some comments about that, but I haven't gotten to the later parts of the doc yet.

eng/doc/fips/README.md Show resolved Hide resolved
eng/doc/fips/README.md
@@ -42,7 +42,7 @@ The Microsoft Go fork provides several ways to configure the crypto backend and
- [`GOEXPERIMENT` `allowcryptofallback`](#build-option-to-use-go-crypto-if-the-backend-compatibility-check-fails)
- [`import _ "crypto/tls/fipsonly"` source change](#tls-with-fips-compliant-settings)
- Runtime configuration:
- [`GOFIPS` environment variable](#usage-runtime)
- [`GODEBUG=fips140` setting](#usage-runtime)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think GOFIPS should still be mentioned here until it's no longer in a supported version of Microsoft Go. (At least, this list was intended to include everything.)

eng/doc/fips/README.md
@@ -42,7 +42,7 @@ The Microsoft Go fork provides several ways to configure the crypto backend and
- [`GOEXPERIMENT` `allowcryptofallback`](#build-option-to-use-go-crypto-if-the-backend-compatibility-check-fails)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Line above this one (too far from a diff to comment directly) mentions requirefips and should maybe also mention GOFIPS140=latest.

eng/doc/fips/README.md
The following sections describe how to enable FIPS mode and the effect of the `GODEBUG=fips140` setting on each supported platform.

> [!NOTE]
> Since Go 1.24, setting `GOFIPS=1` is equivalent to setting `GODEBUG=fips140=on`. The latter is the recommended way to enable FIPS mode. Support for the `GOFIPS` environment variable will be removed in Go 1.25.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this doesn't make it clear what GOFIPS=1 means in Go 1.23.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dagood dagood dagood requested changes

@gdams gdams gdams approved these changes

@karianna karianna karianna approved these changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@qmuntal @karianna @dagood @gdams