On Fri, 9 Sep 2011 16:16:02 +0000 (UTC) Stuart Henderson wrote: > My understanding is > > that packages from the official site and mirrors are not signed. > > > > All the files that are downloaded when you build a port are checked against > > the "distinfio" file. > > correct, if this is an issue, build your own packages from ports; > dpb(1) can help. ports distfiles are checked with sha256 sigs.
Using ssh and read only ports is best but slow, there are also SHA256 files in the snapshot packages folder that you can check them with. You can download these from multiple servers and from multiple computers/connections if you like, which would make life very difficult for any attacker who hasn't gotten low down the chain. Considering kernel.org got hacked recently you may well trust those packages far more than gpg signed linux binaries which may also effect the heart of every Linux system. LOL... I wonder how Microsoft would answer this question in relation to Windows updates/programs or Adobe even.
