I mentioned this before release, when there probably wasn't time to address it, but it's something I think should be fixed.
Not all of the files installed by pkg_add are verified. For instance, DESC can be replaced by a forgery and neither pkg_info nor pkg_add will notice. pkg_add will happily install the bogus DESC file in /var/db/pkg. A forged DESC may seem harmless, (after all, it's only metadata), but I believe this is nevertheless a violation of policy and user expectation.
