You run the same risk with freebsd's /usr/ports, rpm's and deb's, java web start and active x, that you download from various places.

Update: b10m asked me about md5's and /usr/ports. Just because you have an md5 of an archive doesn't mean someone won't do something evil on the Makefile in the downloaded archive or 9 functions level deep in the actual program. We all trust each other (in the world) to different degrees, which takes time.