I know it's quite a big change, but given the fact that SHA1 is ridiculously weak I think a "best practice/goodwill" move towards a more secure/collision-proof hash algorithm would be a good decision.

I haven't actually put too much thought into the possibility of generating malicious packages with colliding SHA1 hashes, but I'd assume it's possible.