[tptacek]

The most recent and powerful collision attack on SHA1 is essentially a form of differential cryptanalysis, made feasible by SHA1's linear key schedule. SHA2 has a totally different key schedule that doesn't admit the same attack.

Blake2 looks like SHA2 in the sense that all cryptographic hash functions look kind of similar, but they're unrelated:

* the BLAKE hashes are derived from ChaCha20

* they're HAIFA hashes rather than Merkle-Damgard (you can sort of think of MD hashes as "previous generation" hashes, and anything after that as "current generation") --- MD hashes work sort of the way you'd think CBC-MAC works (just chaining and throwing out the results), and HAIFA keeps state between rounds.

* MD4, MD5, SHA1, and SHA2 are straight Davies Meyer constructions --- the compression function (1) encrypts the chaining value (2) with the current message block as the key and (3) XORs the result against the chaining value --- and BLAKE isn't.

Aumasson has posted, I think a couple times, a prediction that collisions in SHA2 simply won't ever be found; that's based on an assessment that there is essentially nothing on the horizon that threatens it. The reasons not to use SHA2 are performance (though: SHA2 has excellent perf on current hardware) and avoiding length extension attacks (ie, forgetting to use HMAC instead of keyed hashes, which nobody does).