Where possible, artifacts should be obtained only from trusted sources and verified using appropriate methods (e.g., PGP keys). In the case of open source software, consider building it yourself.