docs(v26.2): update FIPS page callouts to reflect GA status#23372
Open
mikeCRL wants to merge 1 commit into
Open
docs(v26.2): update FIPS page callouts to reflect GA status#23372mikeCRL wants to merge 1 commit into
mikeCRL wants to merge 1 commit into
Conversation
- Replace callout_danger with callout_info now that v26.2 uses GOFIPS140=v1.0.0 and FIPS support has returned to GA - Update "What FIPS support means" callout from future to present tense - Update "Migration from FIPS 140-2 to FIPS 140-3" callout to remove stale cross-reference and rewrite in present tense - Update "Operating System Requirements" version reference v26.1 -> v26.2 - Update Docker image tag example v26.1.0-fips -> v26.2.0-fips - Update upgrade callout title and remove "stay on v25.4 or wait" language - De-version-specific the password requirements warning
✅ Deploy Preview for cockroachdb-api-docs canceled.
|
Files changed: |
✅ Deploy Preview for cockroachdb-interactivetutorials-docs canceled.
|
✅ Netlify Preview
To edit notification comments on pull requests, go to your Netlify project configuration. |
jhlodin
requested changes
May 19, 2026
Contributor
jhlodin
left a comment
jhlodin
left a comment
There was a problem hiding this comment.
IMO we should go further to make this content more future-proof
Comment on lines
+8
to
+15
| {{site.data.alerts.callout_info}} | ||
| **FIPS support returns to GA in v26.2** | ||
|
|
||
| As an [Innovation release]({% link releases/index.md %}#major-versions), CockroachDB v26.1 can be skipped. Production clusters running a v25.4 FIPS binary should be upgraded directly to a v26.2 FIPS binary (available May 2026) for continuous GA support of FIPS. | ||
| CockroachDB v26.2 completes the transition to [Go's native FIPS 140-3 support](https://go.dev/doc/security/fips140), built with `GOFIPS140=v1.0.0`. This locks to the frozen Go Cryptographic Module v1.0.0 from early 2025, which is on the [CMVP Modules In Process List](https://csrc.nist.gov/Projects/cryptographic-module-validation-program/modules-in-process/modules-in-process-list) and can be deployed in certain regulated environments. | ||
|
|
||
| **Recommendation for Production Deployments:** | ||
| FIPS support was marked as **Preview** in CockroachDB v26.1, which used `GOFIPS140=latest` — a non-frozen implementation not under NIST review. It returns to **General Availability** (GA) status in v26.2. | ||
|
|
||
| - **Current FIPS users:** Stay on v25.4 or wait for v26.2. | ||
| - **New FIPS deployments:** Wait for v26.2, or start on v25.4 and later upgrade directly to v26.2. | ||
| - **Testing/non-production:** v26.1 can be used for testing and evaluation. | ||
| Production clusters running a v25.4 or v26.1 FIPS binary can upgrade directly to v26.2. |
Contributor
There was a problem hiding this comment.
IMO all of this should be removed. On a feature page this will quickly go stale and ignored until it's painfully out of date, and should instead just validate that the v26.2 release notes/highlights call out the move to GA.
Comment on lines
+193
to
+195
| **Upgrading from v25.4 or v26.1 FIPS to v26.2 FIPS** | ||
|
|
||
| CockroachDB v26.1 represents a major architectural change in FIPS implementation, transitioning from the previous OpenSSL-based approach to Go's native FIPS cryptographic module. Because FIPS support is Preview in v26.1 and will return to GA in v26.2, production FIPS-ready clusters should remain on v25.4 or wait for v26.2. | ||
| CockroachDB v26.1 and v26.2 use Go's native FIPS cryptographic module, a significant architectural change from the OpenSSL-based approach used in v25.4 and earlier. FIPS support was Preview in v26.1 and returns to GA in v26.2. |
Contributor
There was a problem hiding this comment.
Suggested change
| **Upgrading from v25.4 or v26.1 FIPS to v26.2 FIPS** | |
| CockroachDB v26.1 represents a major architectural change in FIPS implementation, transitioning from the previous OpenSSL-based approach to Go's native FIPS cryptographic module. Because FIPS support is Preview in v26.1 and will return to GA in v26.2, production FIPS-ready clusters should remain on v25.4 or wait for v26.2. | |
| CockroachDB v26.1 and v26.2 use Go's native FIPS cryptographic module, a significant architectural change from the OpenSSL-based approach used in v25.4 and earlier. FIPS support was Preview in v26.1 and returns to GA in v26.2. | |
| **Upgrading from v25.4 or v26.1 FIPS to v26.2+ FIPS** | |
| CockroachDB v26.1+ uses Go's native FIPS cryptographic module, a significant architectural change from the OpenSSL-based approach used in v25.4 and earlier. Native FIPS was a Preview in v26.1, so older deployments using FIPS are strongly recommended to upgrade to v26.2 or later. |
Contributor
There was a problem hiding this comment.
Suggest rewording to be more future-proof
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The v26.2 FIPS page was carrying forward the v26.1
callout_dangerwarning verbatim — including future-tense language like "v26.2 will useGOFIPS140=v1.0.0" — even though that transition is now complete. This PR updates the callouts to reflect reality for v26.2 readers.Verified against the
cockroachdb/cockroachrepo: therelease-26.2branch.bazelrcconfirms:Changes
callout_dangerwithcallout_info. The danger framing was appropriate for v26.1 (where FIPS was actively degraded/Preview and users needed to stay on v25.4). In v26.2 that situation is resolved — a red warning box is misleading to readers landing on this page.v26.2 will use...) to present tense for v26.2.v26.1→v26.2.v26.1.0-fips→v26.2.0-fips.