If you doubt a program has a run- time backdoor, check the sources.
Maybe the installation- time scripts can be checked more or less automatically - but the programs can't IMHO because they are too complex.
A reliable way to ensure security of contributions is to have rules regarding official contributions, that minimise the risk of a contribution being malignant. Similar rules exist with other distro's. All those can be checked for easily and 1.) Any contributed binary rpm's must have a corresponding src.rpm. 2.) A more stringent check is to actually only allow src.rpm's and build the contribs automatically on a central buildserver. That way we know that the binaries have not been tempered with and do have the source to later analyse in case there has been a violation. This also ensures that things build correctly and are not just hacked to build on a particular unclean system. 3.) Another one could be to force contributors to disclose their real identity. This has security implications itself, because of privacy laws in various countries. Might be a difficult one to enforce. But I personally would only want to install a package of a verified source on anything that matters. Call me paranoid. ... cannot think of anything else right now ....