[mihaifm]

This is how I view it:

* Being open source protects against a malicious developer. Otherwise there is nothing preventing him to build the binary with a different source, and send the passwords to his own server.

* Signed code archive prevents against a compromised hosting site.

[perl4ever]

In order to get from a trusted source to a trusted binary, you have to trust the compiler and its dependencies as well, I think.