[andersen1488]

The purpose of publishing a public MD5 sum of a software release from the developer is to prevent tampering with an image. If I download an ISO of Ubuntu and check the MD5 value, and it doesn't match what Canonical says it should, then it's been tampered with.

[e12e]

I'd argue that there aren't any good reasons to use MD5 over sha256 today, but either way -- the plain checksums are mostly useful to make sure that iso's etc downloaded without error. The chance of a bad network connection or other random problem leaving you with an ISO and matching md5 in case of some random download error are extremely slim.

For verifying downloads, you should be using the gpg signatures. And again, I don't think there's much of a reason to provide both signatures and plain hashes today, but: you might be in a jurisdiction where gpg is illegal (but then, you wouldn't be allowed to use Ubuntu anyway), or you might be bootstrapping from a system without gpg installed (eg: vanilla windows), but with sha256 installed, and a set of trusted CA-certs, so that you feel you can trust the downloaded hash. I'd argue it's probably a false sense of security -- in general the gpg-signatures (or more precisely the secret keys behind those signatures) -- should be easier to secure, and easier to tie to the trust-worthiness of the builds, than some random web server not being compromised. Or, put another way, in a scenario where the gpg signing key is compromised, it seems likely an attacker would also be able to to other stuff, like embed a back door etc. While there are many, many ways a mirror might be compromised, or TLS subverted.

That's not to say that gpg is perfect, I just think verifying the gpg signatures get you closer to verifying what you (probably) care about: that you indeed have an install iso that is made in good faith by the Ubuntu release team, and to the best of their knowledge is ok.