Why not just do what Linus Torvalds does and simply trust his hash function? For anyone to tamper with the Linux kernel sources and have him not notice they'd have to generate a SHA-256 collision and somehow get this change past thousands of clones of the repository.