From 5979542f622f52fa5760eecab59e89de02459306 Mon Sep 17 00:00:00 2001
From: Eli Schwartz <eschwartz@gentoo.org>
Date: Mon, 27 Jan 2025 01:15:29 -0500
Subject: [PATCH 1/3] gh-129327: revise hashlib documentation to account for
 FIPS removing sha1

More generally, the current documentation is a bit scattered, talking
about what terms are "equal" despite those terms not being very
interesting and given the term "secure hash", probably wrong (because
md5 and sha1 are not secure anymore).

Let's talk about cryptographically secure instead, and note that two of
them aren't. And then we can also link to the source for NIST going
through the removal process for SHA1.
---
 Doc/library/hashlib.rst                            | 14 +++++++-------
 .../2025-01-27-01-21-55.gh-issue-129327.sv2NB1.rst |  3 +++
 2 files changed, 10 insertions(+), 7 deletions(-)
 create mode 100644 Misc/NEWS.d/next/Documentation/2025-01-27-01-21-55.gh-issue-129327.sv2NB1.rst

diff --git a/Doc/library/hashlib.rst b/Doc/library/hashlib.rst
index dffb167c74771f..0f2743731aa2fd 100644
--- a/Doc/library/hashlib.rst
+++ b/Doc/library/hashlib.rst
@@ -20,13 +20,12 @@
 
 --------------
 
-This module implements a common interface to many different secure hash and
-message digest algorithms.  Included are the FIPS secure hash algorithms SHA1,
-SHA224, SHA256, SHA384, SHA512, (defined in `the FIPS 180-4 standard`_),
-the SHA-3 series (defined in `the FIPS 202 standard`_) as well as RSA's MD5
-algorithm (defined in internet :rfc:`1321`).  The terms "secure hash" and
-"message digest" are interchangeable.  Older algorithms were called message
-digests.  The modern term is secure hash.
+This module implements a common interface to many different hash algorithms.
+Included are the FIPS secure hash algorithms SHA224, SHA256, SHA384, SHA512,
+(defined in `the FIPS 180-4 standard`_), the SHA-3 series (defined in `the FIPS
+202 standard`_) as well as the non-cryptographically-secure algorithms SHA1
+(`formerly part of FIPS`_) and RSA's MD5 algorithm (defined in internet
+:rfc:`1321`).
 
 .. note::
 
@@ -812,6 +811,7 @@ Domain Dedication 1.0 Universal:
 .. _the FIPS 180-4 standard: https://csrc.nist.gov/pubs/fips/180-4/upd1/final
 .. _the FIPS 202 standard: https://csrc.nist.gov/pubs/fips/202/final
 .. _HACL\* project: https://github.com/hacl-star/hacl-star
+.. _formerly part of FIPS: https://csrc.nist.gov/news/2023/decision-to-revise-fips-180-4
 
 
 .. _hashlib-seealso:
diff --git a/Misc/NEWS.d/next/Documentation/2025-01-27-01-21-55.gh-issue-129327.sv2NB1.rst b/Misc/NEWS.d/next/Documentation/2025-01-27-01-21-55.gh-issue-129327.sv2NB1.rst
new file mode 100644
index 00000000000000..513488560b8629
--- /dev/null
+++ b/Misc/NEWS.d/next/Documentation/2025-01-27-01-21-55.gh-issue-129327.sv2NB1.rst
@@ -0,0 +1,3 @@
+Clarify that hashlib's SHA1 is no longer a FIPS secure algorithm. Clarify that
+hashlib has a mixture of cryptographically secure and non cryptographically
+secure hash algorithms. Patch by Eli Schwartz.

From 22c7af65f60241cbbbd7db4aca2c76d052c6b2f5 Mon Sep 17 00:00:00 2001
From: Stan Ulbrych <stanulbrych@gmail.com>
Date: Sat, 19 Apr 2025 16:38:34 +0100
Subject: [PATCH 2/3] Add Gregors Suggestion

---
 Doc/library/hashlib.rst | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/Doc/library/hashlib.rst b/Doc/library/hashlib.rst
index 0f2743731aa2fd..7bf6152311f058 100644
--- a/Doc/library/hashlib.rst
+++ b/Doc/library/hashlib.rst
@@ -23,9 +23,8 @@
 This module implements a common interface to many different hash algorithms.
 Included are the FIPS secure hash algorithms SHA224, SHA256, SHA384, SHA512,
 (defined in `the FIPS 180-4 standard`_), the SHA-3 series (defined in `the FIPS
-202 standard`_) as well as the non-cryptographically-secure algorithms SHA1
-(`formerly part of FIPS`_) and RSA's MD5 algorithm (defined in internet
-:rfc:`1321`).
+202 standard`_) as well as the legacy algorithms SHA1 (`formerly part of FIPS`_)
+and the MD5 algorithm (defined in internet :rfc:`1321`).
 
 .. note::
 

From d87d6552994d10bd41216dcd8ef4f5249419ffa7 Mon Sep 17 00:00:00 2001
From: Stan Ulbrych <stanulbrych@gmail.com>
Date: Sat, 19 Apr 2025 16:39:19 +0100
Subject: [PATCH 3/3] Clean up

---
 .../2025-01-27-01-21-55.gh-issue-129327.sv2NB1.rst             | 3 ---
 1 file changed, 3 deletions(-)
 delete mode 100644 Misc/NEWS.d/next/Documentation/2025-01-27-01-21-55.gh-issue-129327.sv2NB1.rst

diff --git a/Misc/NEWS.d/next/Documentation/2025-01-27-01-21-55.gh-issue-129327.sv2NB1.rst b/Misc/NEWS.d/next/Documentation/2025-01-27-01-21-55.gh-issue-129327.sv2NB1.rst
deleted file mode 100644
index 513488560b8629..00000000000000
--- a/Misc/NEWS.d/next/Documentation/2025-01-27-01-21-55.gh-issue-129327.sv2NB1.rst
+++ /dev/null
@@ -1,3 +0,0 @@
-Clarify that hashlib's SHA1 is no longer a FIPS secure algorithm. Clarify that
-hashlib has a mixture of cryptographically secure and non cryptographically
-secure hash algorithms. Patch by Eli Schwartz.