|Oh, yes. “This md5sum verifies that the source is indeed the original trojan as published by the author!”
If you don’t know what the code is, you can’t trust it.
Besides, anyone remember that gcc hack some guy pulled off: he made gcc always specially detect when login was being compiled, and secretly added a backdoor, even if the login code was clean. Then he modified it so that this hack in gcc would be inserted into a gcc binary, even with clean gcc source.
Now, since you have to have basic binaries to start a source installation, you could very well end up with a hacked gcc. Then, you could go and grab gresh gcc sources, built those with the hacked gcc, and it would produce a hacked gcc binary (even tho the sources are clean). You’d then blindy trust your built gcc, and use it to compile a nice clean login source, and end up with a hacked login.
So, with that initial binary download, you can check the md5sum of the sources you compile all you want, and still be fscked.