Issue #18272 has been updated by byroot (Jean Boussier).


I went over the stdlib and there's no use of `Digest::SHA1` whatsoever. All the matches are from rubygems/bundler.

So I'm of the opinion this should be closed as third party issue.

----------------------------------------
Feature #18272: Please replace unsafe SHA1 with another digest algorithm
https://bugs.ruby-lang.org/issues/18272#change-94869

* Author: pvalena (Pavel Valena)
* Status: Third Party's Issue
* Priority: Normal
----------------------------------------
## Context
When working on a new version of RHEL (with Ruby 3.0), the requirement is to have a better security (remove unsafe digests or limit the use for non-security purposes). This would be achieved with using OpenSSL 3.0 as well, which will have a raised security level by default, forbidding the use of unsafe digests.

## Issue
SHA-1 does not conform to the security requirements, and its replacement would be preferred.
A quote from the discussion (the Bug is marked as internal):
```
SHA-1 is still possible to use for non-security use cases, but it we should try to prevent their use for signatures if possible. The Python took a way to prevent this using non-mandatory argument usedforsecurity=True to the constructor, which lets the programmers to indicate their intention explicitly and policy-makers to verify no SHA1 is used in security context. [1]

[1] https://docs.python.org/3/library/hashlib.html#hashlib.new
```

## Question
AFAICT in Ruby it is used for non-security purposes only. Could you confirm that?

## Possible solution
The use for non-security purposes might be indicated with setting an internal variable, which would allow the use of SHA-1 (although forbidden via OpenSSL setting). Do you think this would be possible?

## Additional information
The failing tests upon SHA-1 removal in Ruby 3.0.2: https://gist.github.com/pvalena/9a053c5585329b595e2bff504198eba5



-- 
https://bugs.ruby-lang.org/

Unsubscribe: <mailto:ruby-core-request / ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>