https://lists.archlinux.org/pipermail/arch-dev-public/2016-November/028492.html i have a few things to add to this. the message digests at the download page for the .iso file, must change to sha256 and sha512 ones, or to a sha512 one. if an upstream does not sign the files, does not have https enabled, and/or refuses to take security and privacy seriously, sha512 must be used in the PKGBUILD files. in the cases of upstreams that use md5 and/or sha1 message digests, those will be added in a second ALGOsums= line under the sha512sums= line. if they use md5 and sha1, then sha1sums must be used for the second ALGOsums= line.
