@xi: The check algorithm md5 is weaker than sha*. But lets say you manage to download over a secured HTTPS connection, from a trusted web-site /mirror, and you can check that the seal (md5, sha-256, etc) is OK. Then you can only be sure that you get the original package (TCZ) as it was released by its author. And nothing more.
Security is an illusion. You DO NOT know what is packaged in that TCZ. You have to trust the (open) source without audit it. You have to trust the gcc compiler was not hacked. You have to trust the author of the extension (TCZ) really gave you the results of the final program, not its other "work", blob, he could put inside tcz (Who do you think will audit your tcz ?).
PS: Personally I do not have these concerns. But it seams you started to have them, or at least opened the Pandora box.