joeyh at 2015-10-08T16:41:58Z

Also, note that signed git tags are only a signature of the sha1, so cannot be used to detect a collision attack.

Checking git commit signatures can detect a collision attack. Of course, that checking is also not enabled by default, and there's not yet a config to change that.