I'm not sure anyone is going to invest a year's worth of computation with 100 GPUs to generate a colliding SHA1 sum for an installer image which normally has a three-month lifespan, especially when there's a GPG signature too.
That said, it takes zero net effort to switch from sha1 to sha256, or minimal extra to provide each sha1, sha256, and sha512, so we should just do it.
@Maintainers Can you easily generate a number of different checksums for the installer images?
Back in the days our download provider offered sha1sum by default when hovering over. We already recommend to check via the signature file rather checksums. We will see if it makes sense to display other sums instead of sha1.
Can't put it better than @scachemaille, maybe I can add that md5 is as suitable for integrity verification (for random download errors) as sha1.
For security agaist attackers better use GPG signature verification, not any sha556 or whatever sha.