* On 2014-07-11 at 16:39 BST, Yasha Karant wrote: > I have not found a pkgsrc RPM that would automatically install and > configure pkgsrc for an EL system.
There is none that I am aware of. Setting up a build environment for pkgsrc is outside of the scope of a single RPM. > What is the answer to a fundamental question: > > how secure and authenticated is the pkgsrc repository (non-RPM, but > a repository nonetheless)? As far as the builds go they use the same mechanisms that you quoted - each downloaded distfile is verified for both SHA1 and RMD160 checksums to ensure their integrity. As far as the repository itself, it is secure. The part which is missing which I'd like to address for my other package sets too is that the packages themselves are not currently signed. pkgsrc has infrastructure support for this, but I am missing some bootstrap bits to ensure the packaging tools have the necessary features to support it. > In so as possible, I use SL and related repositories because these > in practice are reasonably secure and authenticated. I do what I > can to avoid using contaminated/compromised sources or executables, > and work as "root" as secure as is practicable. Sure, this is good practise. There is of course an element of trust here, but as a company which relies on community involvement a breach of that trust would be pretty catastrophic, so I will certainly do all I can to ensure it isn't broken. Regards, -- Jonathan Perkin - Joyent, Inc. - www.joyent.com