Consistent with Google's security disclosure policy, the source code for performing the collision attack will be published in 90 days. That means Git and an unknown number of other widely used services that rely on SHA1 have three months to wean themselves and their users off the insecure function

Woah. I wonder what this news will do for sha256 that bitcoin uses.