I'd assume that many people download and then check if the MD5/SHA hash matches the published one (e.g., search the web for the hash and see if the results look good).

Harder to do that in automated deployments that are supposed to always use the newest version available though.