The main review guidelines page [1] specifically requires that one use
md5sum to compare packages' tarballs against those from upstream. Is it
necessary to require a specific algorithm? If so, should it still be
MD5 in this day and age?
[1]
http://fedoraproject.org/wiki/Packaging:ReviewGuidelines