gh-110357: hashlib no longer logs at import when a guaranteed hash is unavailable#152538
Merged
Merged
Conversation
…ash is unavailable When a normally-guaranteed hash algorithm cannot be constructed at import time (e.g. an OpenSSL FIPS configuration excludes it from the default provider, or the build used --without-builtin-hashlib-hashes), importing hashlib emitted an "ERROR:root:hash algorithm ... will not be supported at runtime" message to stderr. For the many programs that never use the missing algorithm this is pure noise. Worse, logging.error() lazily calls logging.basicConfig(), which mutates the root logger's handlers -- a global side effect that the test suite flags as an altered execution environment. Stop logging in that path. Code that actually uses a missing algorithm still gets a clear ValueError from the stub constructor installed in its place. The stray output has shown up incidentally in FIPS / "No Builtin Hashes" buildbot reports for years (e.g. pythongh-110357, pythongh-76902) without being the reported subject.
gpshead
force-pushed
the
gh-110357-hashlib-no-import-noise
branch
from
c0e838d to
681a4e9
Compare
gpshead
added
the
needs backport to 3.15
Documentation build overview
|
Member
|
FTR, the logging part was already there for a long time and so i kept the logic in addition to a runtie check. |
|
Thanks @gpshead for the PR 🌮🎉.. I'm working now to backport this PR to: 3.15. |
|
GH-152554 is a backport of this pull request to the 3.15 branch. |
bedevere-app
Bot
removed
the
needs backport to 3.15
gpshead
added a commit
that referenced
this pull request
Jun 29, 2026
…hash is unavailable (GH-152538) (#152554) gh-110357: hashlib no longer logs at import when a guaranteed hash is unavailable (GH-152538) When a normally-guaranteed hash algorithm cannot be constructed at import time (e.g. an OpenSSL FIPS configuration excludes it from the default provider, or the build used --without-builtin-hashlib-hashes), importing hashlib emitted an "ERROR:root:hash algorithm ... will not be supported at runtime" message to stderr. For the many programs that never use the missing algorithm this is pure noise. Worse, logging.error() lazily calls logging.basicConfig(), which mutates the root logger's handlers -- a global side effect that the test suite flags as an altered execution environment. Stop logging in that path. Code that actually uses a missing algorithm still gets a clear ValueError from the stub constructor installed in its place. The stray output has shown up incidentally in FIPS / "No Builtin Hashes" buildbot reports for years (e.g. gh-110357, gh-76902) without being the reported subject. (cherry picked from commit 8ae1a23) Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
hashliblogs an error at import time when a normally-guaranteed algorithmcannot be constructed, which happens when an OpenSSL FIPS configuration excludes
it from the default provider or the build used
--without-builtin-hashlib-hashes.For example:
Logging at import time is best avoided because of its side effects. Here the
message is unwanted output for programs that never use the missing algorithm,
and the module-level
logging.error()call runslogging.basicConfig(), whichattaches a handler to the root logger. That changes global logging state for any
application that imports
hashlibbefore configuring logging, and regrtestreports it as an altered execution environment.
This removes the logging. Code that uses a missing algorithm still gets a
ValueErrorfrom the stub constructor installed in its place, so nothing usefulis lost.
Verification
Built with
--without-builtin-hashlib-hashes, soblake2b/blake2sareunavailable:
import hashlibis now silent andtest_hashlibno longer reportsenv_changed. A normal build'stest_hashlibis unaffected.