Post audit: retire MD5 and SHA1
By using MD5 in particular and SHA1 to some degree, we risk getting more complaints, even if those are used in contexts that are not security related. Some procurement processes might simply ask if obsolete and broken algorithms are in use. If they are, the software might be determined not suitable.
In one case, we had an interaction with a user who had those explicitly disabled in their deployment for security reasons.
If we decide to keep those, there should be a very good explanation in the ARM why keeping those is acceptable. "because getting rid of them is a lot of work" is not a good explanation.