I'm about to download some OSS software, and I would like to ensure (with a reasonable degree of certainty) that it hasn't been tampered with to insert malware. Specifically, it's a password manager (KeePassX), which seems like an extremely juicy target for hacking, so I'm feeling particularly paranoid.
The two vectors for malware insertion that I can think of are:
- Malware making its way into the official source code.
- A malicious fork or build being substituted for the official one on the website.
The download page does provide checksums; however, this wouldn't seem to protect against the above two hacks.
I don't have the expertise or time to do a source code audit.
What are best practices for checking open source software of a sensitive nature for malware?