Just to throw my 2 cents in...

Thought it is not very likely someone could alter a file and fake an md5 checksum, it is very possible they could also supply you with a fake md5sum. If someone broke into an ftp server and altered the file, it is just as likely the altered the md5sum file which contains the checksum.

Just something to keep in mind, which is why pgp signatures are much better in such cases