You don't seem to get it. SHA-1 is part of the SQLite extensions, to add additional functions and virtual tables on top of the SQLite core, which anyone is free to add to their SQLite build or load as dynamic extensions. In this case, it adds a function to compute SHA1 hashes. That's not bad in and of itself, just as there's nothing wrong with computing a CRC32, which is even more *unsecure* as SHA1... How people use theses hashes is not SQLite's problem. Nor is SHA1 *bad*. It's for what SHA1 hashes are used that matters. And SQLite doesn't use them. SQLite also provides a SHA3 extension, right next to the SHA1 extension, so no one is *forced* to use SHA1 either. e.g. Fossil uses SHA3 now, used to use SHA1. But backward-compatibility with older repos requires SHA1 support too, of course. So both are needed and useful. Removing SHA1 from the SQLite repo would be a deservice to anyone that depends on it. And is highly unlikely to be removed (I hope so at least).