Big detail: signatures

When do we update a package ?
when it changes
... or when its build dependencies change
so each package records its dependencies: @depend and @wantlib
that's a package signature

Confusing:
internally, pkg_add manipulates package locations
they have names
they come from somewhere
two packages of the same names can be different