The solution would be to combine several methods of checking. Even if an attacker can compromise the data in a way that one algo still fits (MD5 is not 100% secure after all -- how do you want to have unique fingerprints for *any* data when you only have 128 bits to store them?) a second one (SHA1, RIPEMD160) probably fails.
Wrong answer. USE GNUPG. Ok the problem with MD5/SHA1/etc/etc is for each package I need to get you the package, and the sig securely. With GnuPG I need to get the key to you securely ONCE, i.e. SuSE ships the keys on the CD. SuSE cannot ship all the future MD5/SHA1/etc sums on the CD for obvious reasons.
And don't believe in "automated security". I feel quite strong about that automatic updates won't work without heavy human supervision. :) Having your system (potentially) damaged by a simple minded program sucking in every update unchecked just because "the file was there and I felt like applying it" is not fun. When something breaks, *I* want to be the reason why. :>
Security has to be automated as much as possible. What happens when companies roll out 5000 linux desktops? -Kurt