That's exactly the answer I was waiting and hoping for. Thank you. I'll follow tech-pkg from now on. Packages must be signed.
De : Martin Husemann <mar...@duskware.de> À : Ottavio Caruso <ottavio2006-usenet2...@yahoo.com> Sujet : Re: pkgsrc binary packages security with pkgin Date : 31/01/2020 09:51:53 Europe/Paris Copie à : netbsd-users@netbsd.org Let me (as someone not heavily involved into pkgsrc and binary pkg building) try to unriddle a few bits that I think get easily confused in this context. When it comes to 3rd party packages, you have to trust: (1) the original source of the package ("upstream") and its release policies. Assuming that the released source has no bad things hidden, you then have to trust: (2) pkgsrc (or the commiters of the pkg and all its dependencies and all patches involved) to not do anything bad >From that point on we can help with various checks. When building a pkg (locally or in a bulk build environment) pkgsrc verifies the distribution file it downloaded does match the hashes recorded at (2). The result of that build is a binary pkg, and if you did build localy, you are done here