That is assumeing I have the correct md5 hash number and know how to verify the number is real.
Well, I've been able to locate the hash on the download page, the utilities for verifying/generating a hash have been in the system for a long time (man -k md5 or man -k sha). As for the question "is the file I grabbed from linux.org compromised" well, that's when one goes to mirror sites and looks to see if hashes match.
Before you let this make you lose all faith in Linux or other open source software, at least you have the chance to "trust but verify", what do you think a commercial company would do? Are you 100% satisfied that you're pulling Windows updates from an offical uncompromised server (Windows/Microsoft used as an example)?