Putting the md5sum inside the zip file with the ISO changes the md5sum of the zip (and typically users should care about the checksum of the download to ensure it wasn't tampered or corrupted in transit, assuming that just because it unzips and the ISO's checksum matches the md5 file doesn't take into account that a malicious person could rewrite the zip contents on the fly and modify the checksum file and ISO or more easily just substitute an alternate zip file since the zip archive doesn't have a published checksum.
In addition the extra file inside the zip makes it incompatible with the Chrome Recovery Utility extension which is a great alternative to Etcher or Rufus for Chromebooks, it can transparently "mount" a zip and write the .img/.bin/.iso inside to a USB, and if you extracted the Regolith zip since the Recovery Tool only acknowledges .bin or .zip files in the file browser so you have to append .bin to the name via the Files app so it shows up. I confirmed this by extracting only the ISO from the zip, deleting the zip, then creating a new zip in the ChromeOS Files app and selecting it as the "Local Image" in the recovery tool and it wrote it to USB the same as it did when I appended .bin to the .iso extension.
Just some feedback on the ISO distribution.
Putting the md5sum inside the zip file with the ISO changes the md5sum of the zip (and typically users should care about the checksum of the download to ensure it wasn't tampered or corrupted in transit, assuming that just because it unzips and the ISO's checksum matches the md5 file doesn't take into account that a malicious person could rewrite the zip contents on the fly and modify the checksum file and ISO or more easily just substitute an alternate zip file since the zip archive doesn't have a published checksum.
In addition the extra file inside the zip makes it incompatible with the Chrome Recovery Utility extension which is a great alternative to Etcher or Rufus for Chromebooks, it can transparently "mount" a zip and write the .img/.bin/.iso inside to a USB, and if you extracted the Regolith zip since the Recovery Tool only acknowledges
.binor.zipfiles in the file browser so you have to append.binto the name via theFilesapp so it shows up. I confirmed this by extracting only the ISO from the zip, deleting the zip, then creating a new zip in the ChromeOS Files app and selecting it as the "Local Image" in the recovery tool and it wrote it to USB the same as it did when I appended .bin to the .iso extension.Originally posted by @spoelstraethan in https://github.com/regolith-linux/regolith-desktop/discussions/772#discussioncomment-6453197