Ondrej, thanks for working on cryptographic security in redhat/fedora! You made https://fedoraproject.org/wiki/Changes/Sqlite_SHA-1 but I'm not sure you actually *understand* what you're doing here. How does removing a hash function that is not used for any auth/signature purposes on its own increase security? Are you also removing libsd's `md5` routine? For what purpose? Let's go through your list of "sensible exception reasons: " > - If SHA-1 is used for Digital Signatures or authentication Not the case here. This is but a function that is available to users. > - If SHA-1 is used for signatures, Not the case. > - If SHA-1 is part of any default configuration list of hashing methods, Not the case. > - If SHA-1 is used for any other purpose, such as generating unique object IDs, switch to SHA-2 when possible. If this is not possible, attempt to limit the creation of further SHA-1 based identifiers and only use SHA-1 to consume existing object identifiers. This will make it easier to remove SHA-1 in the future. Not possible, because this is a *database system*. The purpose of databases is to store data, permanently. So, there's already SHA-1 in such databases, and you removing the function to compute SHA-1 hashes doesn't change that; it only breaks existing software. > - If this package implements DNSSEC Not the case > - If this package requires SHA-1 for Digital Signature verification, Not the case > - If your package uses a protocol that dictates the use of SHA-1 for Signature validation or authentication Not the case I'd ask you to not remove functionality that your users (paying customers!) might be relying on from redhat/fedora because your scanner said there was a SHA-1 implementation. A SHA-1 implementation in itself isn't dangerous, it's using it for the wrong things that is dangerous.