SHA-1 has now seen collision attacks:
https://www.zdnet.com/article/sha-1-collision-attacks-are-now-actually-practical-and-a-looming-danger/

We should clarify that these attacks are not only theoretical, and
actively discourage using it in security-related applications in the
Elisp Manual.  The attached patch is an attempt at doing that.

Any comments?

Best regards,
Stefan Kangas