New comment by ahesford on void-packages repository

https://github.com/void-linux/void-packages/issues/22126#issuecomment-630801749

Comment:
The only files not checked are this marked "mutable" or "configuration" because, as the category names suggest, these files are subject to change on individual systems.

Hashes are stored locally, so as long as you trusted the Void repo at the time of install, you can continue to trust the validation of `xbps-pkgdb -a`. There is no method to verify that a repo hasn't been compromised.