Comment 1 for bug 420528

We can't change the default to SHA-2 without silently breaking people's code. The best we can do is to emit a warning when the default is relied upon, and eventually force the user to explicitly specify the hash function.