Trivial to implement and without this anything based on domain names (web filtering, ntp) is vulnerable.
DNSSEC should also be implemented on all Sophos sites.
Just an observation: Powershell does an excellent job of parsing XML. It would automatically tabulate the export, and allow deep querying.
It’s probably quite easy to write a script to turn one into the other too.
DNSSEC should be on the download site too.
The fact that XG doesn’t validate DNSSEC or secure NTP astonishes me.
Bear in mind MD5 and even SHA1 are not cryptographically secure. SHA256 at a minimum.
GPG downloads (update packages) should already be safe, signed by keys already programmed into the appliance. But this isn’t the case for ISO files.
Showing hashes on a web page is of little use though (if the download is compromised the displayed hash could be too).
All downloads should be gpg signed and the key fingerprint should be included in physically printed documentation supplied via post.