First post, by malicious
The thread on an alternative download site for DOSBox brought up an interesting question, that is how to trust an unofficial mirror with no established reputation. The suggestion to ask the developers for their blessing before putting up such a mirror is well and good as a matter of courtesy but that alone doesn't solve the problem. Even if the developers have the time and interest to audit a fan site once for initial approval, they would also need to repeat the process on an ongoing basis to ensure that the site remains a trustworthy source for the project's files. My guess is the DOSBox developers don't want that extra work.
Another possible solution is to digitally sign files or provide official cryptographic hashes for them. That would allow users to verify the integrity of the files regardless of where they're downloaded from, be it a fan site or SourceForge should they experiment with injecting adware into project files again.