Apache Ivy provides two algorithms (SHA-1 and MD5) to verify correctness of files in repository. MD5 is known to be unsafe for a while, which is no problem because also SHA-1 is suppported. As of yesterday SHA-1 is also broken (e.g. http://hackaday.com/2017/02/23/shattered-sha-1-is-broken/).
To ensure correctness of our artifacts, please extend those algorithms with SHA-256 and or SHA-512.
MessageDigests are computed in class
using MessageDigest.getInstance(mdAlgorithm). It should be no problem to extend the list of allowed algorithms, because at least with JDK/JRE 6 SHA-512 is supported (see https://docs.oracle.com/javase/6/docs/technotes/guides/security/StandardNames.html#MessageDigest).