Continuing with 10.3 without pkg support

[mark_j]

In other words, if I point pkg at my chosen third-party and it downloads a package, are there mechanisms in place to confirm that the package is genuine? I can see the mirror provides a digests.txz file but a misbehaving mirror could potentially serve a bad package and a deliberately-crafted digests.txz, and I would be none the wiser.

However, on reflection, I presume this is handled for me by pkg -- if the packages came from a true mirror of pkg.freebsd.org, pkg is going to install these without issue; and if they were built by an independent ports-mgmt/poudriere, I would have to explicitly configure trusting a different key.

Are these package repositories using signing? Do they provide the public key to the packages? It's not mandatory. We have public repositories of packages with no key signing , ie 'signature-type: none' and private server repository that's signed, ie 'signature-type: pubkey'.

There's also checksums on packages to help verify authenticity and integrity.

Nothing's guarantee, though.

 

[Deleted member 30996]

In the first 10 replies, only one addresses my question directly (I missed it first time round, I'm sorry). Some useful replies after I asked everyone to stay on topic.

I'm glad all the people who are just telling me to upgrade are so absolutely confident in the upgrade process, and haven't ever been bitten by any issue during their lifetime. I haven't had that same experience. There's a myriad of things I need to check and be comfortable with in myself, before I pull the trigger on such a potentially-destructive process.

Now that you've cut through what you considered to be all the answers that didn't address your issue, please allow me to do the same and address the real issue in your own words.

It wasn't till four days ago that I used pkg for the first time to build a desktop from scratch.

That was my experience and there's no reason it can't be just as easy for you. You've already stated it's not a Production server and that you're a "hobbyist". I'm a 10th Grade High School Dropout but I don't have a hobby. I have FreeBSD desktops.

You mentioned a fiscal and temporal budget. Maybe time is money for you because that's all it will cost.

It took me about 2 hours on that T43. Most of that time was used compiling the one port I had to fix. If you're running a server on a LAN you don't have to install all the programs I did or do the work setting up a desktop.


So what it boils down to, it would take you 2 hours at the most to build FreeBSD 12.2-RELEASE-p4 and be completely up to date but you haven't got the confidence in yourself to do it.

I'm here to help.

Just sustitute pkg for ports, like I basically outlined how to do in my previously linked post, take what you can use and leave the rest.

Beginners Guide - How To Set Up A FreeBSD Desktop From Scratch

I'm going to guide you though the process of getting a fully functional FreeBSD 13.0-RELEASE desktop up and running, complete with system files and security settings, step-by-step as if you've never used UNIX or the command line. Now let's get started: Insert your boot media and at the Welcome...

forums.freebsd.org