[floatboth]

That's how pretty much all packages in any distribution are built.

Note the included hashes — if the file on the server gets replaced, the building process will complain. (Sure the package maintainer will probably just replace the hash :D But if the file changed but the version number didn't change, or there was no release announcement, that's suspicious…)

[kingosticks]

But arch pulls these files and rebuilds every time, right? Compared to most other distros where only the (more) savvy maintainer does these steps. Don't arch end users just assume there's a new version out and the package hasn't been updated, ignore the error and install anyway? Or are they better trained to take notice of this suspicious stuff?

[floatboth]

> ignore the error and install anyway

I don't remember how Arch does it, but in FreeBSD Ports you need to actively replace the hash in the text file, there's no easy ignore option. (FreeBSD also mirrors the files on the project's servers, which is pretty cool)