file checksums

[Richard Gaskin]

I see a lot of sites that offer files to download also including an MD5 
value or other checksum, ostensibly so we can verify the integrity of 
the package before running it.

Sounds good, but if a hacker has sufficient control of a server to 
replace the package, would he not also be able to update the checksums 
displayed there to reflect those in his modified package?

I like the idea of providing checksums, but I'm having a hard time 
seeing the practical benefit.

What am I missing?

--
  Richard Gaskin
  Fourth World
  LiveCode training and consulting: http://www.fourthworld.com
  Webzine for LiveCode developers: http://www.LiveCodeJournal.com
  Follow me on Twitter:  http://twitter.com/FourthWorldSys