1. Install the devscripts package.


2. Go to the PPA page and find the source package files associated with the package that you're interested in. Find the one that ends .dsc.


3. Run the command dget url_of_dsc_file. This will download and unpack the source code used to build the package into a directory. Rename this directory to ppa.


4. Get the original source code to compare the PPA against. This could be the original upstream tarball from the project website that corresponds to the version you're using, or perhaps the most recent official Ubuntu release of the package (you can find a link to the latter .dsc from https://launchpad.net/ubuntu/+source/source_package_name). Download and unpack this, then rename this directory to upstream, using dget to download from a .dsc if needed.


5. Now compare the upstream and ppa directories to see if any malicious changes have been introduced in ppa that were not present in upstream. You could use meld for this, which is a graphical diff viewer. apt-get install meld, then run meld upstream ppa. It will show you which files are new, changed or removed, and you can double-click on a file to see detailed changes in an easy-to-review format.

Since PPAs are built from source on Canonical's infrastructure, you can trust that the binary you have installed from the PPA matches the source that you review as above, provided that you trust Canonical. This should be acceptable given that you trust Canonical to build Ubuntu in the first place.