2. Almost all Trisquel packages come from Ubuntu's respective repositories
(e.g., the packages backported to Trisquel 7 are packages backported to
Ubuntu 14.04). When I write that they "come from Ubuntu", I mean they were
copied and maybe patched to satisfy Trisquel's exigences in term of freedom.
Trisquel hosts its own repositories. That includes the "backports". I do not
think Trisquel proposes any package directly copied from Debian, especially
not from Debian unstable. In my experience, Trisquel never crashes in normal
use (I run my home-made programs that sometimes run out of memory, hence the
kernel killing processes).
3. You can verify the integrity of the ISO with both 'md5sum' and GPG if that
is what you mean. When fetching the packages (during a NetInstall or later,
from the installed system), APT check their authentication and, by default,
does not install unauthenticated packages.
4. I guess you can use UNetbootin too.