Trust would need to be established through other channels, or through careful code review, same as a repo by an unknown dev on GitHub. Once trust is established, you can look for other repos owned by the same DID if you want to see more by the same dev. If multiple versions of the same repo exist, and you want to find the “real” one, you may look for the one recommended by a trusted source or the one that is mentioned most elsewhere. Failing that you could look at development activity on the repo.

Imagine a project with multiple repos on GitHub (not “forks” but someone actually uploaded it as a new repo). Similar problem. I’ve seen this before with some simple C libraries that haven’t changed in years.