sha-1 was broken about six years ago now, and even if it was not, whatever has it being used could be broken tomorrow. So always better for something important to use two very different hashes. The link to those hashes is not obvious at all from the link to the downloads on the main page. A link to them should be added.
SHA-1 is not broken. It is also highly unlikely it will go from where it stands now to completely broken and unusable for this purpose overnight. That said, I would be in favor of also signing a stronger hash. It is good to stay ahead.
It is broken. Think it was in '05. I remember it being a Chinese paper that showed this. If really need be I can probably dig up the links.
I assume you are referring to this:
Collision Search Attacks on SHA1This only demonstrates a collision of SHA1 with a reduced number of rounds. Their research does reduce the complexity of an attack on full the 80-round SHA1, but not enough that anyone has been able to produce a full collision.
Scary stuff, and a very good reason to move to something better, but, at least for now, an attacker can't tamper with a file without changing the SHA1 hash.
By the way, I am using the term "broken" to mean that actual collisions have been found or could reasonably be found with current technology. If you use "broken" to mean that there is a known attack faster than a birthday attack, then SHA1 is definitely broken.