Even after reading this 10 times I still don't understand what this hack is about.
I understand these things independently:
1) SHA1 collision weakness
2) Nix checking package SHA1 when updating packages
3) Chromium returning different SHA1 for each download
They get the best of everything, least they can do is be good at their meaningless pursuits.