A better hash function would be appreaciated too.
Serving md5 hash over http is only useful to detect corruption during download but won't help detecting any kind of tampering.
Even using the Twitter of one of the mantainers as a source for the checksum would work, no need to set up https on the webpage (thought would be recommended).
Thank you for the great distribution.
Sorry for my english.
