Since we are only listing official mirrors (eg. those that are listed in
Launchpad as Ubuntu mirrors), there should be no mirror that doesn't
have the checksums; the technical requirements imply that the tree is
copied as-is for the Ubuntu images - and once you do that, there's no
need to do handle Xubuntu differently.
There are several things that should be taken into account here:

If the website is not HTTPS only (as it currently isn't), what is the
value of providing a checksum over HTTP? I guess the same comment goes
for the mirrors since they don't offer HTTPS, but of course because of
the technical implementation that is required, they pretty much have to
be correct.

Our recommended download method are torrents. By nature, torrents
checksummed automatically for correctness while downloading - getting a
part of the ISO file wrong would mean it wouldn't even work. Taking that
into consideration, isn't the question regarding them related to whether
the user downloading the image trusts the source where they get the
torrent file from - torrents.ubuntu.com - over HTTP?

I believe making sure you got the right stuff is important, but the
other thing that is important is being able to offer a relatively simple
download page for the user. Even currently, I'm not sure if I can say
I'm completely happy with our download page; per-release, I feel it's
already long enough and confusing for some users. If we added some
checksums (or a link to them), wouldn't this make it even more confusing
for the user?

All that said, I'm happy to discuss providing the checksums in a more
sensible way.

Serving the checksums over HTTPS from a site the user can trust (and
that is as close to the source organization/team of the ISO as possible)
seems the only sensible way to me. A potential solution to this would be
that while building the images and creating the torrents, there was an
automated method to create a simple checksum page for all the ISOs built
(including Ubuntu, Xubuntu and other flavors). Basically this happens
already (with the cdimage.ubuntu.com mirror), but not over HTTPS. This
would require escalation, but it might be worth it, since I've seen
several people ask about the checksum issue lately.

Finally, as immediate workarounds
1) use the cdimage.ubuntu.com "source mirror";
for 14.04: http://cdimages.ubuntu.com/xubuntu/releases/14.04/release/
for 15.10: http://cdimages.ubuntu.com/xubuntu/releases/15.10/release/
2) use torrents and trust in the technology built around it
3) use our support outlets and ask somebody to checksum their ISO to
confirm you have the same one

Cheers,
Pasi
--
Pasi Lallinaho (knome) » http://open.knome.fi/
Leader of the Shimmer Project » http://shimmerproject.org/
Ubuntu member, Xubuntu Website lead » http://xubuntu.org/