That's exactly the answer I was waiting and hoping for. Thank you.
I'll follow tech-pkg from now on. Packages must be signed.
De : Martin Husemann <mar...@duskware.de>
À : Ottavio Caruso <ottavio2006-usenet2...@yahoo.com>
Sujet : Re: pkgsrc binary packages security with pkgin
Date : 31/01/2020 09:51:53 Europe/Paris
Copie à : netbsd-users@netbsd.org
Let me (as someone not heavily involved into pkgsrc and binary pkg building)
try to unriddle a few bits that I think get easily confused in this context.
When it comes to 3rd party packages, you have to trust:
(1) the original source of the package ("upstream") and its release policies.
Assuming that the released source has no bad things hidden, you then have
to trust:
(2) pkgsrc (or the commiters of the pkg and all its dependencies and all
patches involved) to not do anything bad
>From that point on we can help with various checks. When building a pkg
(locally or in a bulk build environment) pkgsrc verifies the distribution
file it downloaded does match the hashes recorded at (2). The result of
that build is a binary pkg, and if you did build localy, you are done here
