Was downloading Eclipse again today, and noticed this all-too-common line:

Windows 98/ME/2000/XP (http) (ftp) eclipse-SDK-3.0M3-win32.zip (md5)

Now how many people check for independant confirmation that the md5 is what they expected? Sure, if somebody replaced the actual file you're downloading and absolutely nothing else, you'd find out. But if someone's compromised the file you're downloading, couldn't they have also recalculated the checksum for this compromised file? That wouldn't even require hacking the web server, just the file location.

Anyhow, md5's look nice, but I wonder how many people really check them out to the degree that they're truly reassuring.