Issue #18272 has been updated by retro (Josef imnek).


AFAIK SHA-1 is used in Bundler/RubyGems only to hash filepath for gem clones and could be replaced in the future. It was recently vendored in bundler and could be vendored into RubyGems as well.

It can be changed to different hashing algo, but it will not be backwards compatible and proper migration plan should be prepared first.

----------------------------------------
Feature #18272: Please replace unsafe SHA1 with another digest algorithm
https://bugs.ruby-lang.org/issues/18272#change-94349

* Author: pvalena (Pavel Valena)
* Status: Open
* Priority: Normal
----------------------------------------
## Context
When working on a new version of RHEL (with Ruby 3.0), the requirement is to have a better security (remove unsafe digests or limit the use for non-security purposes). This would be achieved with using OpenSSL 3.0 as well, which will have a raised security level by default, forbidding the use of unsafe digests.

## Issue
SHA-1 does not conform to the security requirements, and its replacement would be preferred.
A quote from the discussion (the Bug is marked as internal):
```
SHA-1 is still possible to use for non-security use cases, but it we should try to prevent their use for signatures if possible. The Python took a way to prevent this using non-mandatory argument usedforsecurity=True to the constructor, which lets the programmers to indicate their intention explicitly and policy-makers to verify no SHA1 is used in security context. [1]

[1] https://docs.python.org/3/library/hashlib.html#hashlib.new
```

## Question
AFAICT in Ruby it is used for non-security purposes only. Could you confirm that?

## Possible solution
The use for non-security purposes might be indicated with setting an internal variable, which would allow the use of SHA-1 (although forbidden via OpenSSL setting). Do you think this would be possible?

## Additional information
The failing tests upon SHA-1 removal in Ruby 3.0.2: https://gist.github.com/pvalena/9a053c5585329b595e2bff504198eba5



-- 
https://bugs.ruby-lang.org/

Unsubscribe: <mailto:ruby-core-request / ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>