It just seems like before the OpenBSD/ssh trojan a year or so ago, I never really heard about any source code being trojaned like that. Now I see a message like this every couple of weeks in my Bugtraq mailbox. I don't know if it's always been going on and I just didn't hear about it, or if there has really been an explosion in it, but as I said, it just seems to be getting out of hand.

I'm all for checking md5sums, but I'm not sure how that would protect me from some of the attacks that are happening now. If it was just a matter of a compromised FTP server, then I would agree. But if someone poisons the DNS so that if I ftp to ftp.bitchx.org and get resolved to a server in southeast Asia with trojaned source and MD5, how am I to know that I'm not on the real bitchx server? I also seem to recall a while back a trojaned package (can't remember the app, sorry) that was publicly released by the attacker as an updated version and was actually picked up by several legitimate distrubution channels before the backdoor was discovered.

And sure, you can uninstall it once the problem is discovered or catch the next update, but if it has already opened backdoors all over your network, the damage is done. You've fixed the barn door after the horse is gone.