word bro. I am sick of people telling me that sha1 is "insecure" . There are collisions out there but that does not mean if you use sha1sum for something that you app is insecure full stop.

Same here, and I've found it's a good way to tell apart decent security researchers/consultants from those that just blindly run their tools and send the results. If I get a report that my app is vulnerable because it uses sha1, and it's obvious that collision resistance doesn't matter at all in the context where sha1 is used, then I know the reporter can be ignored.