Avoiding Trojans and Rootkits
Subject:   validating md5s
Date:   2003-04-20 12:18:41
From:   anonymous2
it is true that you can not validate the md5 from the same site that you download the file from however it is slightly safer to check the md5 from a mirror on a different server, presuming that the mirror isn't mirroring the tainted md5 as well, and also presuming that if the hacker can gain access to box 1 to corrupt the md5 file he can't gain access to box 2 however to corrupt the other md5 file as well.

Either way if you're going to tell someone how to check md5's you should atleast let them know to verify the md5 from a second source.

As mentioned in the other comment the PGP is probably better than md5. I would trust md5 to verify that the download was successful and that the file didn't get corrupted during the download, although it's not very safe for verifying that the package you're downloading has not been hacked.