the end times (of git security) are here
"The new result demonstrates a collision in SHA-1. The researchers found two PDF files that have the same hash."
I tried to push the git devs toward having a switch to throw, or a transition plan for this day, but I failed. There has been some slow work being done to that end, so perhaps this will pick up the pace.
You can, however, check the new colliding PDFs into git-annex. Just don't use --backend SHA1 when you do.
Looks like it just claimed it's first victim: