[fivesigma]

This requires the addition of random garbage in the first file which someone will detect anyway. Why not release an infected file with a timebomb malware instead of colliding SHA1? Much cheaper. Still, none of this allows you to attack an already existing torrent.

[xiphias]

Nobody will detect if a not important metadata field/asciiart is created/changed randomly, so this is a practical attack.

[shemnon42]

> This requires the addition of random garbage in the first file

Like a third party binary driver?