* On 2014-07-11 at 16:39 BST, Yasha Karant wrote:

> I have not found a pkgsrc RPM that would automatically install and
> configure pkgsrc for an EL system.

There is none that I am aware of.  Setting up a build environment for
pkgsrc is outside of the scope of a single RPM.

> What is the answer to a fundamental question:
> 
> how secure and authenticated is the pkgsrc repository (non-RPM, but
> a repository nonetheless)?

As far as the builds go they use the same mechanisms that you quoted -
each downloaded distfile is verified for both SHA1 and RMD160
checksums to ensure their integrity.

As far as the repository itself, it is secure.  The part which is
missing which I'd like to address for my other package sets too is
that the packages themselves are not currently signed.  pkgsrc has
infrastructure support for this, but I am missing some bootstrap bits
to ensure the packaging tools have the necessary features to support
it.

> In so as possible, I use SL and related repositories because these
> in practice are reasonably secure and authenticated.  I do what I
> can to avoid using contaminated/compromised sources or executables,
> and work as "root" as secure as is practicable.

Sure, this is good practise.  There is of course an element of trust
here, but as a company which relies on community involvement a breach
of that trust would be pretty catastrophic, so I will certainly do all
I can to ensure it isn't broken.

Regards,

-- 
Jonathan Perkin  -  Joyent, Inc.  -  www.joyent.com