Replace CNIOSHA1 with SwiftCrypto

[weissi]

I'd be fantastic to remove the CNIOSHA1 module and replace it with Crypto.Insecure.SHA1 (which sadly is mandated by the WebSocket spec). Unfortunately, SwiftNIO 2 supports Swift 5.0+ and SwiftCrypto requires Swift 5.1.

[0xTim]

@weissi @Lukasa so why does this require a major version bump?

I looked through one of the old posts on the forums about SemVer and Swift and saw no discussion about language version changes. IMO changing the language version is a minor release and not a major release for these reasons:

• There are no API changes (even adding Crypto, any existing functions that would be replaced can be wrapped to maintain the public API). This is all that SemVer guarantees
• SwiftPM should stop anyone building with Swift 5 from pulling in a Swift 5.1 package, so again nothing should break
• Releasing a minor allows security updates and other major bug fixes to be released in patch versions.

Alamofire are also currently considering a minor release to bump the minimum Swift version.

Completely understand if it's a team policy or similar, it's your code after all! 😄 But would be good to know the reasons.

[Lukasa]

The risk isn't the raise in the Swift version number, but the OS constraints added by Swift Crypto. This is shown in SR-11489, but the core problem is that to depend on Swift Crypto we need to raise the floor of our minimum deployment targets. This immediately breaks all downstreams, which have to raise their floors as well. SwiftPM does not bring the minimum OS deployment targets into the dependency resolution phase, so it will happily choose a NIO version whose minimum deployment target is not suitable for the leaf package and then fail that build.

[0xTim]

Ahhh got you, that makes sense. Thanks!