Source Guru

So, SHA-1 has potential exploits, but you know what? I only use it for signing plain text things. Email, change files… I’ve no reason to use it for encryption, as I don’t encrypt things

Surely, if anyone is going to make something that collides with a valid signature of mine, it’s going to either a) be noticable to the person reading it (random characters in an email?) or b) not be processable by whatever automated sytem is using it.

I’ve yet to hear of any exploit that could affect the way I use SHA-1 in a meaningful way. Ok, yes, I’m not going to be using it to hash passwords in future (well, GPG uses it to hash passwords, but generally, to be able to crack that, someone would have to have my secret key anyway, which I would count as being compromised!)

If someone can give me a real world example of how this can be used against me, I might go out of my way to replace my key, but for now, I don’t see the need. Ok, I might take the next time I meet up with a fellow Debian Developer as a chance to replace my key, but I’m not going to go out of my way to do so (as I had to for getting my key signed by my first Debian/Ubuntu Developer in the first place)