I assume that git (not Github) verifies that, if you checkout a hash, the contents of the commit match the hash.
Anyway, software is so complicated that at some level, you need to trust something because it's impossible to personally comprehend and audit all code.
So, you still need to trust git. You still need to trust your OS. You still need to trust the hardware. You just don't have enough minutes in your life to go down through all those levels and understand it well enough to know that there's nothing malicious in there.
Anyway, software is so complicated that at some level, you need to trust something because it's impossible to personally comprehend and audit all code.
So, you still need to trust git. You still need to trust your OS. You still need to trust the hardware. You just don't have enough minutes in your life to go down through all those levels and understand it well enough to know that there's nothing malicious in there.