@FiloSottile requested issue #74947 to be considered for backport to the next 1.24 minor release.
@gopherbot please open backport issues for Go 1.24 and Go 1.25.
Backporting a change to the FIPS 140-3 module is an exception we discussed with the lab.
It will involve:
- landing the change on master (CL 701517)
- preparing release-branch.go1.24 by reverting a small post-module seal change (CL 701440)
- preparing release-branch.go1.24 by backporting a couple internal fips140 tooling changes (CL 701439, CL 701437)
- backporting to release-branch.go1.24 (CL 701438)
- re-sealing the fips140 zip file on master based on the new release-branch.go1.24
- backporting the zip file to Go 1.24 and Go 1.25
Note that we'll have some builders failures in the middle of the process, because the tests will fail with the non-backported v1.0.0 zip'd module. They will resolve at the end of the process.
Comment From: FiloSottile
While doing this backport and re-seal, I would also like to backport two CLs that will make long-term maintenance of the module easier:
- 701518: crypto/internal/fips140: update frozen module version to "v1.0.0" | https://go-review.googlesource.com/c/go/+/701518
- 701519: crypto/internal/fips140/ecdsa: make TestingOnlyNewDRBG generic | https://go-review.googlesource.com/c/go/+/701519
Neither is visible from the application's point of view, so it shouldn't be necessary to backport this to the Go 1.25 tree. (We fix the version string in the crypto/fips140 package anyway, and the other one is a test-only change.)