Redmine

thanks for working on this!

however, the OpenID change isn't safe. The SHA1 algorithm is hardcoded here and your change will break it.
https://github.com/redmine/redmine/blob/49e323ae7af2998fc2785319643a9ac5bc93c425/lib/plugins/open_id_authentication/test/mem_cache_store_test.rb#L126

https://github.com/openid/ruby-openid do support SHA256, maybe add an option to choose it? It has to be a separate option, it can't depend on Rails.application.config.active_support.hash_digest_class

the second missing part is gravatars https://github.com/redmine/redmine/blob/master/lib/plugins/gravatar/lib/gravatar.rb#L68
as discussed in https://www.redmine.org/boards/2/topics/65253 I don't think there's a way to support this feature without MD5, so if the digest isn't available, the feature has to be disabled.

Pavel Rosický wrote in #note-1:

thanks for working on this!

however, the OpenID change isn't safe. The SHA1 algorithm is hardcoded here and your change will break it.
https://github.com/redmine/redmine/blob/49e323ae7af2998fc2785319643a9ac5bc93c425/lib/plugins/open_id_authentication/test/mem_cache_store_test.rb#L126

https://github.com/openid/ruby-openid do support SHA256, maybe add an option to choose it? It has to be a separate option, it can't depend on Rails.application.config.active_support.hash_digest_class

The openid plugin was removed so these issues are no longer available.

the second missing part is gravatars https://github.com/redmine/redmine/blob/master/lib/plugins/gravatar/lib/gravatar.rb#L68
as discussed in https://www.redmine.org/boards/2/topics/65253 I don't think there's a way to support this feature without MD5, so if the digest isn't available, the feature has to be disabled.

It seems that gravatar supports now also SHA256: https://docs.gravatar.com/avatars/hash/.

Should we take this change into consideration for 6.0.0? Jens, do you have any updated patch?

I would suggest to just swap out MD5 for SHA256 for the Gravatar use case. It seems not practical to tie this to the hash_digest_class configuration, so let's just hard code the algorithm suggested by the Gravatar docs here.

Jens Krämer wrote in #note-3:

I would suggest to just swap out MD5 for SHA256 for the Gravatar use case. It seems not practical to tie this to the hash_digest_class configuration, so let's just hard code the algorithm suggested by the Gravatar docs here.

Agree, I've posted the patch in #40652.

yeah, it looks like https://www.gravatar.com does support SHA256 now, it wasn't supported at the time when I wrote the comment (3 years ago)

no other objections then :)