Surely .deb files have an internal validatory hash?
I have no idea, but it would not matter. If nasties were included into the .deb any hash would be updated too unless the hacker was a complete dolt. The .deb is not quite like a compiled .exe, it is more of an instruction list also with some files.
Using a SHAxxx checksum provided by the developer will validate the file as it was when it left the Dev's desk.
Having a SHAxxx independently provided by FPC to validate the download at **my** desk just makes sense.