Deprecate use of MD5Sums - Switch to SHA hashes or another mechanism to verify download integrity & publish on CiviCRM.org
Currently each Civi release on Source Forge is accompanied by an MD5SUMS file to verify the integrity of the download.
Due to the ease of conducting MD5 collision attacks and the fact that MD5 hashing is considered insecure for file download verification - CiviCRM should consider a switch to GPG or SHA Checksum verification options - and have these published on CiviCRM.org rather than residing solely on SourceForge.