Tony wants to know how to check to be sure the ISO of open source software is legit. Leo says that an ISO is found to be legit by signing. A hash has to be generated in order to provide proof of a legitimate ISO. If the ISO has changed, then the hash would be modified. There's also a signing key, which is based on GPG encryption. It has to be authenticated by the developers of the software.
The bottom line is that computing is a matter of trust and Leo recommends using open source tools for MD5 verification. If he's downloading from legitimate sources, he can trust that they are verified from experienced users. Could it still be hacked even from legitimate sources? Leo says sure, but it's usually only for a very short time. Some sites can be bit, but it usually is discovered and fixed shortly. At the end of the day, computing, like life, is about trust.