[indubitable]

The same code compiled by the same compiler with the same settings compiles to the same binaries. So you can indeed verify that what you're running and what you have the source code to are indeed one and the same.

For that matter, they could still do that to this day. Pick the time frame that the alleged hack happened and examine the source. And again you can compare the binary output to ensure that you actually have the real thing.

[shallot_router]

In practice, this isn't really possible, though. The binary is usually going to be slightly different. In theory you could RE the differences and potentially disprove a backdoor, but it's not easy.

Also, it's not necessarily that hard to slip a very subtle backdoor into the source.