The Git source management system is based on the SHA-1 hash algorithm, and the different object types stored in the Git library are identified using the SHA-1 hash. Linus Torvalds designed Git without thinking that SHA-1 might one day be unsafe, and he didn’t design features that could switch to different hash algorithms, and the hash type went deep into the code.
But sha-1 is late, and Google announced its first successful collision attack on the SHA-1 hash algorithm in 2017. A collision attack is when two different messages produce the same hash value.
Earlier this year, researchers reduced the cost of attacks to $45,000, and the cost of attacks will continue to fall for years to come. Projects that use SHA-1 need to switch to a more secure hash algorithm as soon as possible.
After considering multiple alternatives, git community announced in 2018 that its next-generation hash algorithm would be SHA-256. Transitioning to SHA-256 is easier for small projects, but not for projects as large as the Linux kernel.