Daniel says that we should move away from SHA1 by switching hash algorithms for signatures and generating keys that use at least SHA256 from SHA-2 family. I have been bitten by non-default GPG options before. So I propose that we do a security release of GPG that changes the defaults of key generation and key signing in such ways that SHA-1 algorithms are not used by default for any operation, unless a backwards compatibility option is used.