> to support SHA-256, we would simply use the system's crypto libraries ... I think this is probably the single strongest argument for sha256. "It's just there".
Sounds reasonable and well... boring. Just the kind of technical decisions I like
edit: I found the email where they compared 256-bit hash functions . It seems Apple Common Crypto, gcrypt and NSS don't implement SHA-512. A new twist to the performance story is that OpenSSL's SHA-256 is faster than SHA-512/256 in the AMD Ryzen tests, possibly due to the recent introduction of hardware support.
Only build something yourself if it serves as a key differentiator or has the potential to do so. Otherwise, use off-the-shelf tools.
Checks out. :)
They go into it a bit more here.  Where what they mean may change depending on the transition timeline. To begin with, prefer SHA-1, but convert internally to SHA256. Output names to users in SHA-1 still. Only late in the transition begin to use the SHA256 names.
However, the mode of operation can be changed by your git config.
They just factored RSA-230, which was labelled to need 17 core years. https://news.ycombinator.com/item?id=17825383
In short, git migrated to a hardened SHA-1 hash after the SHAttered  attack became known.
However, in the future more attacks against SHA-1 may be found, so git is trying to future-proof itself.
However, even in the case a hash function is no longer cryptographically secure, git doesn't lose out completely, just losing signing and shorthand fetches over the git protocol.
This project focuses on git with SHA256 and SHA-1 interchangeability, but doesn't address the git protocol side of things yet, which can come later.
This is SHA-1:
hash = SHA1(input)
collided, hash = SHA1DC(input)
hash = SHA1DC_safe(input)
So depending on the mode you use it in it's a different hash function than SHA-1. The Git project only uses it in the "detect a collision and die" mode: https://github.com/git/git/blob/master/sha1dc_git.c#L17-L23
Here's the part of the code where you can see it's implementing a different hash function: https://github.com/git/git/blob/v2.19.0-rc0/sha1dc/sha1.c#L1...
I.e. if detect_coll and safe_hash are set, it will return different hashes than SHA1() for the same input.