Repos should address keeping / 'fixing' broken sha-1 as needed. They also really need to create new native modes so users can initialize and use repos with (sha-3 / sha-256 / whatever) going forward. Backward compatibility with sha-1 or 'fixed sha-1' will be fine. Clients can 'taste' and 'test' repos for which hash mode to use, or add it to their configs. Make things flexible, modular, configurable, updateable. What little point is there in 'fixing / caveating' their use of broken sha-1, without also doing strong (sha-3 / optionals) in the first place, defaulting new init's to whichever strong hash looks good, and letting natural migration to that happen on its own through the default process. Introducing new hash modes also gives good oppurtunity to incorporate other generally 'incompatabile with the old' changes to benefit the future. One might argue against mixed mode, after all, export and import, as with any other repo migration, is generally possible. And mixed mode tends to prolong the actual endeavour to move to something better in the init itself. Native and new makes you update to follow. A lot of question / wrong ramble here, but the point should be consistant... move, natively, even if only for sake of death of old broken hashes. And attacks only get worse. Thought food is all.