On Mon, Jan 27, 2014, at 22:41, Elmar Stellnberger wrote: > However locally stored > checksums are not of use as they can > be manipulated arbitrarily. > This shouldn't be a concern when using signed packages, correct? Or if that's still a problem couldn't we just teach `pkg check` to confirm signature of the repository matches before verifying checksums? _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"