Hi, just my personal reaction. Only repositories "covered" by key and certificate (thus using https) are Extra and HA-cluster directly from Sun. So these are something like "trusted".
But I think that at least Contrib and Development are ok too thanks this option in pkg tool : verify [-Hqv] [pkg_fmri_pattern ...] Validate the installation of packages in the current image. With -v, do more verbose reporting. With -q, print nothing, but return failure if there are any verification problems. File hashes are always checked. The -H option causes the headers to be omitted. If I understand it correct then file hashes are in manifest file with each package. I don't know about other option which will be what you are looking for. But if you have hashes then you can build your own mirror of repositories with packages you checked at least against their hash. -- This message posted from opensolaris.org _______________________________________________ opensolaris-help mailing list opensolaris-help@opensolaris.org