On Fri, 2021-07-09 at 20:22 +0200, Florian Weimer wrote:
* Ben Cotton:
> == Detailed Description ==
> The use of SHA-1 is no longer permitted for Digital Signatures or
> authentication in RHEL-9. Due to this reason, there is a need to
> remove SHA-1 extension from sqlite in RHEL-9 and therefore also
> Fedora. The removal of the extension was discussed with sqlite
> upstream development, who confirmed, that it is safe to remove it and
> should not impact other functionality of sqlite.
Why can we keep SHA-1 in coreutils and Git, but not in SQLite? That
does not make sense to me.
SQLite is a general-purpose tool. Not every use of SHA-1 is
cryptographically relevant. Most uses in the context of SQLite probably
aren't, so the removal just annoys users for no good reason.
Note that this is a Sqlite decision, from RHEL engineering we only
requested the removal in digital signatures and where integrity
protection is required for security.
Also note that we do not require full removal, just that SHA-1 is not
used unless users intentionally change configuration.
Simo.
--
Simo Sorce
RHEL Crypto Team
Red Hat, Inc