Denis A. Altoé Falqueto email@example.com on Wed, 2013/04/24 17:18:
I would say that the best way to assure you're using the correct file, as intended by the original developers, is to use digital signatures to check the sources. Not all projects sign their releases, but for those who do, you can use makepkg's support for GPG signature checking.
I do know some projects which sign their packages buy Arch PKGBUILDs do not use them. Package 'postfix' is an example. Do the developers want bug reports about that?