diff --git a/CHANGELOG b/CHANGELOG
index bdb56ad314..d301db75f6 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -5,6 +5,11 @@ git-annex (6.20170215) UNRELEASED; urgency=medium
     This does not prevent the git repository from containing links
     to insecure hashes, but it does prevent the content of such files
     from being added to .git/annex/objects by any method.
+  * Tighten key parser to prevent SHA1 collision attacks generating
+    two keys that have the same SHA1. (Only done for keys that contain
+    a hash). This ensures that signed git commits of annexed files
+    will remain secure, as long as git-annex is using a secure hashing
+    backend.
   * fsck: Warn about any files whose content is present, that don't
     use secure hashes, when annex.securehashesonly is set.
   * Added --securehash option to match files using a secure hash function,
@@ -42,11 +47,6 @@ git-annex (6.20170215) UNRELEASED; urgency=medium
     to wget, since curl is able to display only errors to stderr, unlike
     wget.
   * status: Pass --ignore-submodules=when option on to git status.
-  * Tighten key parser to prevent SHA1 collision attacks generating
-    two keys that have the same SHA1. (Only done for keys that contain
-    a hash). This ensures that signed git commits of annexed files
-    will remain secure, as long as git-annex is using a secure hashing
-    backend.
   * Removed support for building with the old cryptohash library.
     Building with that library made git-annex not support SHA3; it's time
     for that to always be supported in case SHA2 dominoes.