I'll stick to the techie stuff and leave wild guessing to others.
As to sourceforge, ALWAYS download the .asc file together with the version of the client you're downloading
(if you need bitcoin-0.5.1-win32.zip, make sure to grab bitcoin-0.5.1-win32.zip.asc as well).
The .asc file is a digital signature file.
You can use an open source tool named gpg to verify that not one bit was changed in the bitcoin client since Gavin signed it.
Verification is done like that:
gpg --verify s:\progs\bitcoin\bitcoin-0.5.1-win32.zip.asc s:\progs\bitcoin\bitcoin-0.5.1-win32.zip
Of course you need Gavin's public key to do that. Just grab it from bitcoin.org (http://bitcoin.org/gavinandresen.asc
You'll need to import it into gpg:
gpg --import c:\...\gavinandresen.asc
If you're REALLY paranoid, downoading source code only and doing a complete diff against the previous version might be the way to go.
Once you've satisfied yourself, compile
A short message? Tempting as it may sound to a non-technical user, that would be like applying growth hormones to the blockchain. Those messages would all have to live there, right?
The last thing anyone needs is a bloated blockchain artificially inflated with user's messages.
Also, messaging is kinda out of spec: bitcoin is a money transfer system, it serves the same purpose as Visa's infrastructure. Why bother?