You also can not assume that the original author of PuTTY isn't secretly working for NSA, or who ever. The fact is, the ONLY safe way to get PuTTY is to indeed grab the code, go through it line by line, and than build it, and hope that your compiler sin't infected as well. I am just point out that it's more difficult to hide things inside the code than it is in the built binary, not impossible, but more difficult.
Web-of-trust, what ever that might mean, isn't helpful because you ultimately have to trust someone. How do you know the person you are trusting isn't an NSA agent?
>How do you know the person you are trusting isn't an NSA agent? //
You don't but the top node in your web has to be trusted by lots of other people, some ideally are able to confirm the code is kosher - you need a massive conspiracy to happen or to have put your trust in people who couldn't care less about putting their name to malicious software.
It's like if dang tells you something is an official HN policy you might trust it, but if that statement by dang is signed by other HN officials then you're going to be pretty certain that's true.
Kinda like a technical "social proof". If I know that Stallman, Torvalds, Wozniak are using a piece of software then I'm going to be pretty confident that it's been checked out as much as any piece of software. Yes they could _all_ be endorsing it because the NSA told them too.
Web-of-trust, what ever that might mean, isn't helpful because you ultimately have to trust someone. How do you know the person you are trusting isn't an NSA agent?