[Distutils] Proposal: drop md5 for sha256

[Daniel Holth]

> And yes, attacks on md5 will only get better, so we should migrate to
> better hashes in the future. But if there is something to be
> embarrassed about, it's not the use of md5, but the lack of proper
> code signing and trust paths between developers.

I'm going to implement this except I will replace the sha256: with a
sha256= There is simply no realistic drawback. Strong hashing is a
prerequisite for a trust path, and you avoid the need to even think
about why it is OK in this specific circumstance that a weak hash is
being used.