Concur with the MD5 flaw.
It's strongly recommended you use a variety of hashes on your software, not merely whatever happens to be trendy. Hashes suffer from the Shannon problem (long story short: loss of resolution in data means substantially less accurate), which is why you should employ multiple hashes which means an attacker needs to not only pwn one hash, but several.
It becomes easier for an attacker to then just modify your hashes without you looking (rather than modify the code to fit the hash), at which point you have to make sure you keep backups of said hashes.
Done correctly, you will have enough hashes from enough algorithms that it's impossible to tamper with the code without tripping one or the other. MD5 and SHA1 are broken, but you can still use them… in conjunction with other non-broken hashes.
Sure, it's extra work, but it offers immunity to your reputation being compromised if it gets subverted.
>How do you manage the anonymous part?
PGP
Assuming you don't bury your identity somewhere in the PGP message (which should also contain the hashes). Of course, that introduces a reputation problem. You either have to trade a loss of trust for anonymity, or offer identity with reputation to engage in trust.
To be honest, I wouldn't recommend identifying yourself anyway, because even if you did, it's unlikely you have the reputational backing for it (if new) and it'd give too many clues if you're an 'old hand' (with a good rep).
Best to teach anons how to proofread, scruntise your code, make it open source, explain each line of code. Make the trust in the code, not you.