For a quick summary from all your answers since martin's, if I may. His answer is still perfectly valid to me.
Assuming you trust everything before, because not assuming that is confusing and counterproductive in this particular discussion, I wanted to focus, while there is probably work there too (there is always): - upstream softwares in pkgsrc. pkgsrc-vulnerabilities is a partial answer, right? - packagers - builders So, assuming that above: - https more trivial to use - https only protects the link between you and binary packages server - sigs protects from the builder to you, this adds a lot Also, while it is relevant to compare https and signatures, security is about resilience. There must be a valid trust chain to which add strata, if possible. Obviously, deciding to sign packages involves asking questions about key management. Be that as it may, the decision to believe is already made, the objective is to formalize it. Yours sincerely
