[rayvd]

This seems an unfair leap. The most common cause of a checksum mis-match is going to be a partial download or something similar.

It's also not relevant to the current attack since the code was legitimately included in the official release and, as such, baked into the valid checksum results.

[tstrimple]

Is the proper response to tell a customer to install the package anyway because it's just a partial download or something similar? Regardless, it seems irresponsible.