Comment 2 for bug 1883272

1) no, we do not ask users to veryfiy md5sums, we only ask them to verify sha256.

2) the second concern is irrelevant to whether or not we publish 3 sets of checksums, or 2.

I will address point #2 anyway.

Note, that releases.ubuntu.com and ubuntu.com are both served with HTTPS. Our short form instructions tell people how to confirm sha256, which they have acquired over HTTPS. (see attachment)

The longer form tutorial instructions tell users how to use gpg as well. So that is documented as well.

https://ubuntu.com/tutorials/tutorial-how-to-verify-ubuntu#4-retrieve-the-correct-signature-key

All of the above is linked from the welcome page. Maybe releases.ubuntu.com / cdimage.ubuntu.com should link to the tutorial too.