You have to extend trust out at some point. Your only other alternative is to manually type the machine code required for a C compiler and start from that.
Additionally, it's fairly ironic this is about a browser. If you don't trust packages maintainers, yet you want to use a browser, which the whole point of is to download and interpret text, code and binaries which you have little in the way of actually controlling after pointing it at a site, then I think you've made some interesting security trade-offs in your mind.
Okay, so the only other alternative is to create your own processor[1], manually type the machine code required for a C compiler, and then start from that. Sheesh.
Really, this is what everything in life is like. Every time you cross a bridge, you are implicitly trusting the builders who built it, the engineers who designed it, the mechanical engineering processes they used, and the mathematical disciplines that they rely on, all the way down to their fundamental axioms. You have to extend trust at some point there as well, otherwise you can start by proving there exists a class of numbers we will call integers...
I agree with you, my point was to illustrate that at some point, everyone needs to place some trust (even if implicitly). I'm as paranoid as the next person, but this is just the reality.
Yeah, that "sheesh" wasn't directed at you, but at the even more ludicrous amount of work required to not have to trust a third party. The response wasn't a rebuttal, I just felt I had more to say. :)
It's easier to trust that the maintainer compiled upstream properly instead of backported/mismerged because of a stupid OS policy preventing you from incrementing version numbers
Ergo: use a distribution like Arch Linux or Gentoo. Arch Linux has the advantage that you don't have to build everything from source yourself. Both have the advantage that the build scripts are easy to understand (Arch PKGBUILDs more so, IMHO).
In the end you will always arrive at a chicken and egg situation, you will ultimately need to trust the engineers who designed your CPU and chipset, the VLSI design software which they used, the developers who wrote the compiler and toolchain, the tools used to bootstrap it, external libraries, etc.
The world ultimately runs on trust, no matter how you slice it.
If you don't have the time, skillset or inclination to review the source you're compiling yourself, trusting a third party who you have reason to put faith in beats compiling from source yourself.
I've no idea why you've been downvoted. While it's not amazingly pertinent, it's worthy to note that security from source assumes your compiler is being honest.
Additionally, it's fairly ironic this is about a browser. If you don't trust packages maintainers, yet you want to use a browser, which the whole point of is to download and interpret text, code and binaries which you have little in the way of actually controlling after pointing it at a site, then I think you've made some interesting security trade-offs in your mind.