There are better hashes than MD5 and SHA1 available these days. We use BLAKE2B and SHA512 for ebuild Manifests these days.
The list of hashes needs to be configurable, like layout.conf manifest-hashes and manifest-required-hashes settings.
We can still do this, but I feel like it matters a lot less now we have signing.
