Makefile: Compute and display SHA-256 of tarballs in make release

[alexvong243f]

We should compute and display SHA-256 hashes of tarballs in make release and make it clear that MD5 is unsafe and for compatibility only. I think we should keep all the MD5 hashes for now to avoid any compatibility issues related to sourceforge. But after sourceforge is retired, it should be safe to remove all uses of MD5.

HOWTO-release.md should also be updated accordingly.

Related to #1180.

[cbm755]

Sounds good but I'm not sure how much of the pkg install -forge routines use md5 and those are still in use back to Octave 4 or something like that. So thread lightly and keep both!

[alexvong243f]

Sure, we should wait long enough and test throughly before removing any legacy stuff.

Also, we should investigate whether upstream is still using legacy hash functions such as MD5 or SHA-1 and fix it accordingly. For instance, help hash still uses MD5 and SHA-1 as the only examples, which isn't helpful if we want users not to use them...