Sourceforge Attack: Full Report

Mercurial uses SHA1 hashes in the same way as git, and both of them borrowed this idea from Monotone. Bazaar also uses SHA1 for integrity checking, but it relies UUIDs to identify revisions. If you signed your revisions in Bazaar (with gpg), they cannot be forged, but I don't know Bazaar well enough to tell what happens with non-signed revisions.