After digging into this some more, it's not quite the end of the world; colliding git commits can be generated, but it costs $75k and both such commits would point to the same tree, so such an attack couldn't do much damange at all.

I will continue to wear my gitSHA1pocalypse sandwitch boards though, the as chunks of the SHA1-sky continue falling.