I'm fine with changing the default behavior to not use this mechanism on non-Windows platforms, but why make the AuthCookieSha1 definition completely Windows-only? Users can still explicitly specific authentication mechanisms, so this change would remove the possibility to use this mechanism (and strictly speaking, be a breaking change since this removes an exported type). Even though EXTERNAL is pretty much always used when it works (i.e. on Unix), maybe some users have cases where even on Unix, EXTERNAL can't be used but SHA1 can.

Because all usage of SHA1 must be deprecated. I am also trying to build applications that embed go-dbus without ability to use SHA1 anymore.

I do not believe any Linux distribution has working and configured SHA1 Auth that is secure. Nor can it be used securely.

Is there any pre-existing evidence of any SHA1 usage on Linux? I posit, if there was, it would have been upgraded to sha256 by now.

If such pre-existing deployments exist I can add an opt-in build tag for this. However it is insecure, and dbus spec needs upgrades to sha256.

Cc @martinpitt any advice here? Or who else to ask?

I understand. Generally I try to stick to what the official spec says, and there it is still mentioned as the "recommended authentication mechanism for platforms and configurations where EXTERNAL cannot be used."

However it is insecure, and dbus spec needs upgrades to sha256.

I advise you to then open an issue with the spec itself: https://gitlab.freedesktop.org/dbus/dbus/-/issues

I can't judge how much / whether this is actually used - my gut feeling is that this is pretty rare, but I have been surprised before. We can merge this and see if any bug reports come in; but as long as the spec still mentions this mechanism, I'm prepared to revert this PR if this actually causes issues for users.

https://gitlab.freedesktop.org/dbus/dbus/-/issues/564