You use an example of an ftp site with some files on it, and a file containing checksums to verify the integrity of these files. Let's presume the site in question has been hacked, and the software trojaned - it wouldn't take much for the attacker to modify the file containing MD5 sums to reflect the checksums on his modified version of the tarballs, etc.
In this instance I believe verifying PGP signatures would be a lot more reliable. For example, ftp.kernel.org does this with its files. There is a helpful document on this here: http://www.kernel.org/signature.html