New comment by Duncaen on void-packages repository

https://github.com/void-linux/void-packages/issues/22126#issuecomment-630802620

Comment:
> compromised due to some hacking attempt on the official repository

First there are signatures for packages, if they can't be verified xbps will not install the package.
But if the official repository is really compromised including private keys, checking the checksum of files doesn't do anything as the source of those checksums is the compromised package signed with the compromised key.