There is actually a push away from sha1 on security grounds, but as you can see Linus is trying to avoid it.
Again, git hashes arent global uniqueness guarantees and this is the purpose of commit signing.
Here it is shown that git signing will generate a secure signature based on the entire contents of the revision and not only some metadata using the sha1 hash. So it appears the movement to sha256 is more of a belt-and-suspenders solution to a problem created by inexperienced users.
I have been signing my commits by default for a long time. Just because it seems like the right thing to do.
reply