I saw a question like this posted some while ago, but not in this section where I think it should have been.
In these days of NSA tapping international cables, hijacking downloads, and possible much much more. You only publish MD5 Hashes of the iso files. I'm sure there is some kind of internal package verification done when an install is being done, and I suspect the development team actually probably have and use the GPG signatures for your own verification purposes. So how come you don't publish them.
MD5 hashes have been known to be insecure for a long time. Fedora and even Ubuntu publish an assortment of hashes that are much more secure that MD5, and then sign them with a the Fedora or Ubuntu GPG Release Key.
This is a quote from wikipedia re: "MD5 Hashes"
..."Also in 2004 more serious flaws were discovered in MD5, making further use of the algorithm for security purposes questionable — specifically, a group of researchers described how to create a pair of files that share the same MD5 checksum."
Please don't misunderstand, I'm not being nasty. I'm an ex-windows user, and am purposely moving away from windows for security reasons. So would just like to know why.