FIPS dependencies and prebuilt binaries

https://www.docker.com/blog/fips-dependencies-and-prebuilt-binaries/

15•LaurentGoderre•1h ago

Author here. This came out of debugging a real Rails app running in a FIPS enabled container.

Everything looked correct. OpenSSL 3 with the FIPS provider enabled. Ruby built against it. A simple pg connection worked.

The app failed once ActiveRecord was involved. The error came from libpq. It turned out the pg gem had pulled in a prebuilt native dependency that was linked against different crypto. That path was always there. It just was not exercised until ActiveRecord hit it.

Forcing a source build fixed the issue because the extension then linked against the OpenSSL in the image.

The takeaway is that a FIPS base image does not mean your dependency graph respects the same boundary once native code is involved.

Curious how others have seen this play out in Ruby, Python wheels, Go with CGO, or Node native addons.

Comments

JasonADrury•1h ago

> FIPS compliance is a great idea that makes the entire software supply chain safer

Yes, gotta implement that Dual_EC_DRBG compatibility.

FIPS compliance is not a great idea, the benefits are questionable and possibly nonexistent. It's also significantly worse advice than simple "implement decent modern crypto", you can do all kinds of really bizarre stuff and still be FIPS compliant.

direwolf20•1h ago

FIPS compliance should be used when the customer demands FIPS compliance, and at no other time. It does not make your software more secure. The federal government has many reasons for its Information Processing Standards, and actual security isn't high up the list.

voidfunc•44s ago

FIPS is what happens when idiots get promoted and start reading too much LinkedIn CISO slop.

If a customer demands FIPS compliance charge them out the ass for it. Its not inherently secure, it requires in some cases massive re-engineering of product and toolchains, and mostly seems to be an ask from clueless deep pocketed Fortune 500 companies looking to minimize liability claims after a breach by being able to point at their FIPS compliance.

Monitor Cron Jobs Without Migration – DeadManPing

Doing a variety of exercise makes you 19% less likely to die than doing one

Starting a Startup at 25, 35, or 45 Is Not the Same Decision

We spent 5 YEARS building New York City in Minecraft [video]

Rent-Only Copyright Culture Makes Us All Worse Off

Show HN: Memcachex, a high-performance Memcached client for Go

Utah Continues to Ban More Books, Even as It Racks Up More Lawsuits

Kona: Energy-Based Models (EBMs) for AI Reasoning

Revealjs-skill: a better way for Claude to make presentations

Stunnel

Vibe a Guitar Pedal

Four Ingredients for Successful Retrofitting

TikTok Strikes Deal for New U.S. Entity, Ending Long Legal Saga

Why medieval city-builder video games are historically inaccurate (2020)

WAForth: Forth Interpreter+Compiler for WebAssembly

Clean Web UI for Steve Yegge's Beads

Apple's John Ternus Takes over Design in Latest CEO Succession Move – MacRumors

Guiding the Future of Chainguard OS: Announcing the FUD Committee

Back to Bellevue

Arkansas inmates restricted from receiving physical books, other media directly

The Physicians of Decay

Yabai: A tiling window manager for macOS based on binary space partitioning

Metastable Failures and Interactions Between Systems

Node.js: New HackerOne Signal Requirement for Vulnerability Reports

Ispc: Origins (Part 1)

Penis Size, height, and body shape influence assessment of male attractiveness

Lessons of Design

Malignant Narcissism

Samsung hits ₩1,000T market cap (~$740B)

Is that allowed? Authentication and authorization in Model Context Protocol