[Cryptography] SHA1 collisions make Git vulnerable to attakcs by third-parties, not just repo maintainers

[John Levine]

In article <20170223181409.GA6085 at savin.petertodd.org> you write:
>Concretely, I could prepare a pair of files with the same SHA1 hash, taking
>into account the header that Git prepends when hashing files.

The Google blog post describes what they did, and mentioned that it
used upward of 6500 CPU-years to create.  So while I agree that the
collision is real, and github should switch to better hashes ASAP, I'm
not too worried about an immediate blizzard of fake source code.

R's,
John