[otabdeveloper]

> Not saying it's easy, but now it's on the horizon.

Not really. It's not a preimage attack. They spent several hundred dollars to find two random byte strings with the same SHA1 hash. There's still no way to SHA1-collide a specific byte string instead of random junk.

[victorNicollet]

This is exactly what euyyn is saying: create two files with the same SHA1 (by adding bytes of gibberish to an unused section), commit one to the repository, and now you have an collision available.

[mi100hael]

That's not how git uses hashes. In that scenario, there would still be a diff and hence git would recognize the files were different.