Yes. We chose the hardest standardised hash at the time, because it’s always easier to decrease the security level later than to run into security problems.
That said, the design of libpijul on hashes is entirely forward-compatible: actually, the first byte of our patch identifiers indicates which hash function to use (in base64, all hashes started with A
).
We might add Blake2s instead of SHA2 in the next release, which is capable of producing shorter hashes. Older patches will keep their identifier, though.