On Thu, 2024-07-25 at 17:33 +0200, Tim Düsterhus wrote:
> 
> As an example, using md5_file() to implement a cache buster is fine,
> but a less-experienced developer may believe that md5_file() uniquely
> identifies the file contents and use it in a way where strong 
> collision-resistance against an adversary is required.
> 
> I'm positive that even existing projects written by experienced 
> developers would benefit from re-checking if their use of MD5 and
> SHA-1 is actually safe instead of assuming that this is the case,
> when the specific functionality has been untouched for the last 10
> years.

Isn't the philosophy of open source software "tools, not policy"?

I'm in the process of refactoring an old framework and I just found a
use of sha1(). It's being used to generate a unique resource lock. It
doesn't need to be secure, just a fast and random UID.

Reply via email to