Suggestion: Use strong hashes on the download page
> The only use of the hash is to check a download from a mirror.

Right, but if a weak hashing algorithm is in use then mirrors are free to publish whatever crafted code they like and go "hey look the file matches the official hash therefore you can trust it."