On Fri, 2021-07-09 at 20:22 +0200, Florian Weimer wrote: > * Ben Cotton: > > > == Detailed Description == > > The use of SHA-1 is no longer permitted for Digital Signatures or > > authentication in RHEL-9. Due to this reason, there is a need to > > remove SHA-1 extension from sqlite in RHEL-9 and therefore also > > Fedora. The removal of the extension was discussed with sqlite > > upstream development, who confirmed, that it is safe to remove it and > > should not impact other functionality of sqlite. > > Why can we keep SHA-1 in coreutils and Git, but not in SQLite? That > does not make sense to me. > > SQLite is a general-purpose tool. Not every use of SHA-1 is > cryptographically relevant. Most uses in the context of SQLite probably > aren't, so the removal just annoys users for no good reason.
Note that this is a Sqlite decision, from RHEL engineering we only requested the removal in digital signatures and where integrity protection is required for security. Also note that we do not require full removal, just that SHA-1 is not used unless users intentionally change configuration. Simo. -- Simo Sorce RHEL Crypto Team Red Hat, Inc _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
