How do I determine whether Open Core Legacy Patcher is trustworthy?

Question

Kudos to Open Core Legacy Patcher - I have just resurrected an 11 year old Macbook Air running Monterey with minimum fuss and decent performance. The fact that these tool are even possible shows for me that obsolescence is a feature not a limitation of MacOS.Above aside, how do I actually determine that OCLP is trustworthy and secure? Sure I can look at the code, but without spending days/weeks sifting through 10s of thousands of lines of code (not to mention all of the 3rd party modules) how do I go about doing this in practice? What am I looking for? Surely there must be numerous ways in which malicious activity could be concealed from the casual observer.

8organicbits · Accepted Answer

If you are worried about accidental vulnerabilities, a review of the code and how previous vulnerabilities were handled is a good measure. But this is time consuming, and you'd need to know what to look for.
If you are worried about intentional malware, I'll recommend building from source and disabling any automatic updates.
However, if security is really important to you, then you'd probably want something professionally made, that has a history of handling security issues well which, and which comes with a warranty.