Comment 7 for bug 2033612

@pots: Chris, can you elaborate on "the weakness in MD5 is not a problem here"? That will help in assessing this. My understanding is that it's still OK to use MD5 as long as it's not being used in a "security context", and at first glance, passing a password obfuscated by MD5 seems to be a "security context".

I haven't looked closely at the driver code, but is it the case that the hexdigest in the URL is only there for backward compatibility, and the newer arrays are using a different authentication mechanism? Or is the plan that the firmware in newer arrays could be updated so that you use the credentials-in-the-url scheme, but with sha512 or something?

I don't think there's a formal policy yet ... there is a community goal that OpenStack be FIPS-compatible, so the main cinder code no longer uses MD5 in a security context, but since it's up to operators what backends and drivers they use, we have not required that all the drivers do the same (figuring that their customers will push them to do this).

The release note is a good idea, if you act fast we can get it into the Bobcat release notes.