I’ve heard quite a few times about how Git would be broken if someone found an easy way to create SHA-1 collisions.

A few years ago, after some attacks against SHA-1 were published, Linus explained that the security model of Git doesn’t depend on the hashes being cryptographically secure (although he said that it was a bonus and also mentioned a few possible problems).

There was an interesting thread in the Git mailing list about this topic: Starting to think about sha-256?.