I think it is a good ideal.
Not ideal but one of the most basic of things.
I would use it to check if the file was not corrupted during download. This would not mean that a file is not a virus.
If a hacker was good enough to replace a file on a site, they would also replace the md5 (or whatever hash that was used) with the hash of the virus.
Those hackers are clever like that.
That's why in the Debian project and all Linux distributions, software downloads are digitally signed and there exists a web of trust of GnuPG keys just for these signatures. I haven't seen the git source code archive, but releases should be signed as well, git is build exactly for that.
I've seen that people put bitcoin software on their own website for download without possibility for verification. It is a facepalm thing to install that. If you do that ever, it may well be that you don't own neither your wallet nor your PC anymore, even if it seems to behave like a bitcoin client.
