I'm just curious if there is a possible attack vector here based on the fact that git uses the relatively week SHA1
Could a seemingly innocuous pull request generate another file with a backdoor/nonce combination that slips under the radar?