These sort of attacks do not directly affect the way the hash is used in crux but they do demonstrate weakness in md5. I think this gives a strong case for depreciating its usage.
This is exactly why it's "okay" to continue to use MD5 hashing in this particular use-case.
It is only used to verify the integrity of sources of a port as specified in a Pkgfile.
Whilst changing to sha256sums is probably trivial; it probably doesn't really buy much in terms of "security" (since we're not using md5 for security purposes).