I came across an interesting and a very informational post by Thomas Koch while reading planet.debian.org. And I really believe that this has to be talked about a lot more, Primarily to create awareness among novice (and seasoned) users of FOSS.
It is a common practice with most of us to download source tarballs and binary packages from all over the interweb. Although few of the seasoned/experienced users among the FOSS community follow the double-check-with-signatures-and-hashes process before blindly trusting the source, I think it pays to exercise caution even if it seems like paranoia. Like the age old adage 'it is better to be safe, than sorry', it is better to be over-cautious than to have our data lost and/or our identity stolen.
In this age of online-transactions (money and data) and ubiquitous use of wireless networks, our 'security' is only as strong as the processes we follow to ascertain the source of the software we use or the websites we visit. A few things that i tend to follow:
* Install software from authorised software channels (like official repositories, whose keys/signatures are verified and trusted)
* if building and installing from source, make sure that the source is downloaded from authorised source repository and even then double check with signatures and MD5 hashes.
* And if installing from source, test before you actually install it on your primary machine (on a virtual machine)
Bringing about process changes are always difficult, but these changes will go a long way in protecting your system and eventually your 'virtual identity' and data.