I mean, untarring a downloaded tarball from somewhere and running `make` is just as dangerous, right? Only there you can make sure the checksum matches, but people skip that step all the time.
Matches against what? If the website is compromised the checksum can be compromised as well.
If the tarball is not pgp signed by the author (e.g. Bazaar and Tor Project do that), checking the checksum is basically checking if the server you’re downloading from didn’t have any silent data corruption (see recent KDE hosting incident), because in transit TCP does its own checksumming anyway.
My point exactly. No one is ever actually going to read all the code, so you have to start your trust somewhere. Especially if you're going to type `sudo make install` at the end (which is why I advocate things like ~/.local to prevent the need for that, but I digress).