Given the MD5 and SHA0 cracks the use of MD5 to sign CD images, especially ones that are large and easily padded with new data should be phased out in favour of something like SHA1SUMS.
Assigning to release engineering.
To guard against a possible future vulnerability in SHA1 (or any hashing algorithm), why not provide multiple checksums? All checksums must be okay for the package (etc) to be installed.
Reassigning to Jeremy since the implant utility is included in the anaconda packages.
I don't think that Alan is caring about what's embedded in the ISO here... that's really just an arbitrary checksum to ensure we can read all of the disc. The bigger concern is the distributed MD5SUMs which you can then use externally to verify that the ISO you got is the same one we distributed.
Rather than forever switch checksum algoriths to something which hasn't been broken yet, why not provide multiple checksums? Difficult to break..
The script used to prep an FC tree has been switched to use SHA1 instead of MD5 (which hasn't really been "broken", but anyways...)
Time for multiple hashes? http://www.schneier.com/blog/archives/2005/02/sha1_broken.html
NetBSD have switched to using multiple checksums. "the pkgsrc infrastructure has been changed to use multiple digest algorithms for distfiles and distpatches, and all the distinfo files in pkgsrc have been updated, where possible, to use multiple checksums." -- http://mail-index.netbsd.org/tech-pkg/2005/03/07/0023.html