The recently updated checksum policy from infra means more people should be using tools like sha512sum or shasum (or even sha1sum) instead of md5sum, but the instructions for users to verify releases: https://www.apache.org/info/verification only mention md5sum tools. They should be updated to include mention of tools for checking SHA-1 and SHA-2 hashes. This page is so old and out of date, that it even still mentions textutils, which was rolled into coreutils 15 years ago.
I'm not sure who can update this page, but it definitely needs some attention. Otherwise, projects will have to provide their own, possibly inconsistent, verification instructions (rather than link to this page, as many do now).
