Red Hat Bugzilla – Bug 969370
Coverage fails to generate html report in fips mode
Last modified: 2015-02-05 06:33:10 EST
Coverage implements a "Hasher" class in coverage/misc.py  that uses MD5 to create hash of an arbitrary structure. The only place where Hasher is instantiated is coverage/html.py  that hashes settings of the html generator and compares them with other settings.
So from one point of view, this seems to be a good candidate to use usedforsecurity=False. But that would need to be done inside the Hasher class and if a developer used this in some other library, that would use Hasher for security purposes, it would be a problem.
I guess the best thing to do here is to leave html report generation from coverage just fail in fips.
Or perhaps drop the Hasher completely, and do an explicit comparison of the two objects:
def compare(a, b):
if type(a) != type(b): return False
if isinstance(a, (string_class, int)): return a == b
if isinstance(a, float): return whatever_is_the_right_way_to_compare_floats_including_NaN(a, b)
This has the additional advantage of being always correct, whereas hashes can in principle have collisions.
Since I'm not assuming this package is actually being used by someone in fips mode, I think it's not worth the effort to fix. Therefore I'm closing as wontfix - if someone hits this issue, please feel free to reopen.