Neither sum nor crc-32 are worth the bits they're stored in, for this purpose; both are easy to spoof. If you're going to do it, do it right: md5. Not that I'm convinced it's a good idea. If an ftp site is compromised, its ls-lR file and/or its ls command are likely to be dead meat (dead silicon?) as well. There's also the problem of different versions, .Z vs .gz, etc.