In a nutshell: trust, but verify.

Trust (the short version): we have a reputation to maintain and are not naive regarding the risks. Since 2008, we've poured our hearts and souls into TurnKey. Over a million images have been downloaded. It's a free software project. Full source code for everything is available. You can use the build system to build any solution in the library from scratch. There's no place for bad stuff to hide. If there was any funny business going on, someone would have surely discovered our evil plans by now.

Verify: Since TurnKey GNU/Linux solutions are built mostly from from unmodified Debian binaries, it is possible for anyone to verify the integrity of the binaries that make up a solution against the original package signatures from the official Debian repositories.

Custom TurnKey packages are updated from our cryptographically signed package repository.  Full source code for all custom components is available on GitHub, and so is the source code to all the appliances.

To prevent tampering, we sign all releases so that users can cryptographically verify the integrity of their downloads. Also, our virtual appliances are configured to automatically verify the cryptographic integrity of any package (including custom components) that is installed through the package management system (e.g., automatic security updates).

In other words, users should be able to trust a TurnKey installation as much as they trust a normal general-purpose installation of Debian.

If there is anything else we can do to satisfy our more paranoid users, please let us know.