Long ago, we added support for SHA-256 checksums to the live CD integrity check mechanism. That change was always a bit of a "security theater" — it's about the built-in check that simply verifies that the image was not accidentally corrupted, so even CRC sums wouldn't be that bad for that purpose. It's just that any use of a really old HMAC algorithm gives people (myself included) a knee jerk reaction.

In any case, we never removed MD5 sums, for some reason — only added SHA-256. I checked that removing them doesn't break anything, even direct upgrade from 1.3.8 is unaffected, so it's time to remove them.