A while ago, we switched the whole stable distro from the long MD5 to SHA256 for source checksums. The now-merged dpkg1.16 branch has some packages that use MD5 and others SHA256. There is a note in fink.info "checksums other than MD5 can interfere with upgrade from older version", which I assume is about when updating a machine that is still running a fink so old it only knows MD5, it would not be able to build using an info that has SHA256 instead. Fink added support for SHA256 in 2017, and its implementation requires any one of:

• %p/bin/sha26deep
• /usr/bin/openssl
• %p/bin/openssl
• %p/lib/coreutils/bin/sha256sum

whereas MD5 can use /sbin/md5, or Digest::MD5 that has been in perl-core since 5.7.3.

Should we be conservative and keep MD5 in the whole fink-core suite? Or should we include both checksums, so newer boxes benefit but upgrading older won't break (a fink that old doesn't even know to look at the new-checksum .info field at all)? But if there's no SHA256 support, checksum check fails.