Currently md5 is still used in a number of places in Debian. It's not used exclusively in them, but still software may fall back to md5, which must be avoided given that md5 is not the strongest hash nowadays, to put it mildly.

This page tries to list the places where we use md5 to protect the integrity of systems/packages/etc, and how and when we can move away from them.

[mjj29] Currently there are the following hashes to consider with their security statuses:

Any changes made to switch from md5 should bear in mind that there will soon be another switch to sha3 and ensure that they are sufficiently agile to transition easily to other hash algorithms in the future.

apt/archive chain

Stuff to do:

d-i/source chain

The etch dpkg source chain produces only md5 hashes in its .dsc and .changes files. Later versions include other hashes also:

other things