https://www.schneier.com/blog/archives/2020/01/new_sha-1_attac.html
This one is pretty ugly and confuses GPG 1.4 when verifying keys using the web of trust. Debian has moved to gpg2 by default for a while now so I don;t think this applies.
Git however still hasn’t deprecated SHA1 and is a security problem for projects that don’t sign tags.