SHA-1 is a cryptographic hash function designed by the U.S. Government as a Federal Information Processing Standard. Recently, collisions have been detected, meaning that SHA1 is becoming more vulnerable to attacks, and its use for protecting data is not recommended.
- Stackoverflow.com Wiki
Let's consider this: say you have a git repository, make a commit, and get very very unlucky: one of the blobs end up having the same SHA-1 as another that is already in your repository. Question is, how would git handle this? Simply fail? Find a way to link the two blobs and check which one is needed according to the context?
It is now practically possible to craft two colliding PDF files and obtain a SHA-1 digital signature on the first PDF file which can also be abused as a valid signature on the second PDF file.
A few weeks ago, researchers announced SHAttered, the first collision of the SHA-1 hash function. Starting today, all SHA-1 computations on GitHub.com will detect and reject any Git content that shows evidence of being part of a collision attack. This ensures that GitHub cannot be used as a platform for performing collision attacks against our users.