[dcow]

Exactly. At a former employer, we had the VA once symbol dump a library we were using and try to knock us since it included a symbol for a sha1 function. The hash was used for a non-security-critical component of web-sockets as a simple collision resistant session identifier. Good luck explaining this to the same people that tried to knock us for using a function that is deprecated in the windows libc implementation for not length-checking its parameters but has always worked correctly on Linux and macOS, citing the windows developer portal as documentation for why our mobile Android and iOS apps were cause for worry.