Switch from MD5sum to SHA256

[jace]

Lastuser stores MD5sum of email, originally to facilitate Gravatar lookup, but as a result of that choice, also in other places like email verification and password reset links.

We should switch out from MD5sum to SHA256, but keep the field for Gravatar:

1. Add SHA256 column to any model that uses MD5sum
2. Populate the column and make it a unique constraint
3. Remove unique constraint from MD5sum, but keep it indexed
4. In all views that read MD5sum (email verify, reset, etc), change the condition to look up SHA256 first and MD5sum next—possibly by checking data length to decide which lookup to use. This is a transition that can be removed after a week when old links expire.