Git’s builtin SHA-1 implementation has the advantage of trying to detect attempted collisions (https://github.com/cr-marcstevens/sha1collisiondetection), which seems like good thing to do by default these days.
Furthermore, Debian does not ship GPL code linked with OpenSSL for license reasons (https://lintian.debian.org/tags/possible-gpl-code-linked-with-openssl.html). Anders
