* zooko wrote:
On the one hand, SHA-1 is cryptographically fragile and is deprecated for use in applications that require collision-resistance and pre- image resistance.
Such a cryptographically strong requirement is not given in the darcs case. SHA-1 is still used in almost all existing cryptographic protocols and secure against the known attacks, because the protocol itself prohibits the attacking preconditions.
SHA-2 is the current standard for those applications
It's not known, if SHA-2 will suffer from the same attack principle or not. If you really consider the current known attacks against SHA-1 as important, you have to leave the whole family an choose i.e. RIPEMD-160.
On the other hand, why does darcs need a cryptographically secure hash function at all? Wouldn't MD5 or a sufficiently wide CRC, such as the one used in ZFS [2], do just as well? They would certainly be a lot faster to compute.
SHA-1 is the current standard for quick and dirty checksumming an new applications. Using MD5 or any CRC is only for software acheologists.