If someone wants to commit malicious code into Gentoo, they're far more likely to take the ugly but pragmatic approach of, say, forcing someone to commit malicious code at gunpoint and then shooting them, than to go to the vast effort it would take to come up with malicious code that conveniently has the same SHA-1 hash as an existing commit.
-Tim
