On Thu, 2024-07-25 at 17:33 +0200, Tim Düsterhus wrote: > > As an example, using md5_file() to implement a cache buster is fine, > but a less-experienced developer may believe that md5_file() uniquely > identifies the file contents and use it in a way where strong > collision-resistance against an adversary is required. > > I'm positive that even existing projects written by experienced > developers would benefit from re-checking if their use of MD5 and > SHA-1 is actually safe instead of assuming that this is the case, > when the specific functionality has been untouched for the last 10 > years.
Isn't the philosophy of open source software "tools, not policy"? I'm in the process of refactoring an old framework and I just found a use of sha1(). It's being used to generate a unique resource lock. It doesn't need to be secure, just a fast and random UID.