My first rule is - if you don't need it (SHA, UUID, etc...) - don't use it.
My second rule is - don't be a priest - if someone did it and it works then it works.
Assumption that close to impossible collisions don't happen is a belief, not a proven mathematically fact. ;-) Such a problems are also more complex than just 1 dimensional collision math.
> Assumption that close to impossible collisions don't happen is a belief, not a proven mathematically fact.
I'm not assuming they're impossible. I'm estimating the probability, and rationally prioritizing risks based on probability and severity of impact, balanced against the real-world costs of using gigabytes of source code as a primary key vs a SHA-256 checksum.
My second rule is - don't be a priest - if someone did it and it works then it works.
Assumption that close to impossible collisions don't happen is a belief, not a proven mathematically fact. ;-) Such a problems are also more complex than just 1 dimensional collision math.