Compliance nonsense

That's an interesting point. If the hash function is known to be weak (or you want to hedge against it becoming broken in future) then you could add an extra defence with a 'normalized hash'. If the file looks like C source code then strip out the comments, normalize the whitespace, and perhaps rename all the variables that aren't visible from outside the compilation unit. Then both the original content and the normalized one are hashed separately and both of these go into the final commit id.