From my Linux laptop? Or I guess I could have downloaded it using an Android tablet and torrents and copied it to a usb stick. Is this one of those threads where we keep asking 'and where did that come from?' until we reach the first dollar earned from selling lemonade?
Either that or you could inspect every line of OS source code before compiling and then inspect every machine code of compiler executable to make sure compiler is not infected.
Instead of inspector your normal compiler's machine code, you can create a small special purpose compiler to begin bootstrapping your main compiler from source. Most compilers (including GCC I believe) are specifically designed so that they can be bootstrapped from a relatively small subset of the language. Additionally, you do not need to worry about producing an efficient executable because you will only ever run the resulting program once.
However, there is also the risk that your host OS is compromised, in which case it may simply lie to you and do whatever it wants.
No. That recursive process can be short-circuited by verifying the secure hashes, and establishing the integrity of the installer binaries and source tarballs you've been using to install Linux.
If the paranoia runs that deep, and there's enough anxiety built into the scenario, then a substantial amount of responsibility must be adopted before embarking upon your journey.
This means your options are limited, but if you believe you have a real adversary, then your adversary defines the scenario.
Option 1: Obtain source code, and secure a build environment. Review the source code. Build from source, and test the behavior of the built product. This approach incorporates some cognitive disonnance, particularly when building crypto software from source. The axiom "never roll your own crypto" brushes closely against building a tool like PuTTY from source. How do you know you did it right? Well... does anyone REALLY ever know?
Option 2: Pay through the nose, and carefully identify the entities you accept assistance from. Do your accomplices carry any conflicts of interest? This includes your ISP, and the open source project you've selected as the authors of your tools. Do you need to pay for professional class internet service, including pre-defined static TCP/IP routing across leased lines? Do you need to speak directly with the team that develops your software? Have you considered paying for a proprietary tool, with a service agreement? Is what your doing legal? Do you carry liability insurance, in case damages result from your actions? Do you own life insurance?
If you're confronting an opponent, is the scale of your opponent real, or imaginary? The manner in which you arm yourself for the confrontation will be priced accordingly.
...but the short answer is: obtaining hashes over SSL from a source with a certificate that can be validated by a "trust-worthy" certificate authority is "probably" okay for most ordinary people, who aren't confronting state-sponsored adversaries.
