It seems far more likely that the human gatekeepers will be more fallible than SHA1 in this context. How many people really understand the deeper intricacies of C, for example? Submit a patch to a Ruby or Python project to "speed up parsing" that includes a hunk of C. If it actually does speed up parsing, it's possible that the patch would be accepted. Maybe there's also a backdoor in the code. It could take months or years to be discovered, if the project isn't heavily populated by paranoid C programmers and isn't being scrutinized by a lot of people (this is why I generally like really popular Open Source software over niche projects...the level of scrutiny by security experts is much higher).