Not sure what repo to report this at. MD5 is claimed to be insecure.

The checksums are not intended to be used for checking the authenticity of files. They are only to verify the data integrity of the file. See this page on the Arch wiki for more details.