Could we generated sha256 files for the release tarballs, instead of the
md5 files that are currently generated? The packaging systems that I
surveyed that verify the checksum of the tarball (FreeBSD ports and the
like) don't use md5 anymore, so a sha256 file would be much more useful
for direct verification. For someone doing manual checking of their
download, it wouldn't make a difference if a different method is used.
We could start doing that either beginning with the 9.3 release series,
or beginning with the next set of minor releases.