[a-nom-a-ly]

You might have a point regarding binary blobs but, IMO, if they can alter text(comments, source, etc.) in such a way that it's not obvious to the human reviewer, then they deserve to succeed. I don't know what `unused files` means. Git used `sha1` last time I checked, so I'm not sure why you mention `md5`.

[0x0]

Unused files: there are always plenty of files in a source distribution that aren't actually being used during a compile, for example a README file. As far as I know a commit id is a sha sum of a tree of files, so you could probably put any "adjusting bits" in an unimportant file.

Md5: Just an example of how hash collisions can work in real life (not aware of any published sha1 examples)