> implement everything in terms of commit hashes

And remember, git uses a vulnerable algorithm :)