Please tell the developers to provide pgp signed checksums of he downloads aswell as SHA256 checksums. Since SHA1 is weak and broken and SHA256 is the key standard for almost all linux distros and major software. You could still keep the SHA1 but have SHA256 as well as a signed signature .asc file signed with the developer/s GPG key.