This article reminded me of the Reflections on Trusting Trust paper - old but wild example of how you could have compiled open source code but still not have complete security. Only 3 pages, although I had to re read it a few times.