Re: package.el + DVCS for security and convenience

[Ted Zlatanov]

On Mon, 31 Dec 2012 12:06:22 -0800 Phil Hagelberg <address@hidden> wrote: 

PH> I don't see any benefit to using version control tools on the client
PH> side. It may make sense to use them to build the repository, but having
PH> the repository consist simply of a pile of static files on disk is a
PH> very valuable property that we shouldn't give up lightly.

I proposed some benefits in my followup to Nic Ferrier and before.  But
it seems that the consensus from you, him, and Tom is to avoid the DVCS
integration, so I'll drop the proposal.  Unless my eloquence has
convinced you all in the meanwhile :)

PH> Adding SSL to the existing implementation would be fairly easy and has
PH> no downsides, so it should be done soon; it's low-hanging fruit that can
PH> be improved quicker than adding signatures.

I worry it will lower the incentive to do the signature work, and SSL is
known to be compromised at many levels.

PH> I would just like to add that I consider writing an OpenPGP
PH> implementation in Emacs to be a very bad idea--we simply do not have the
PH> resources to get the auditing that would be necessary to get this to a
PH> level of quality that we could trust. Using GnuPG would be both quicker
PH> to implement and result in much higher-quality code. If there are
PH> concerns that people may not use it because it's difficult to install
PH> then our efforts would be better spent on making it easier to
PH> install.

OK.  Stefan asked for GnuPG as well, so an OpenPGP implementation is not
happening anytime soon.

PH> I'm very glad to see movement on this front though--the current state of
PH> affairs is an improvement over everyone pulling packages in from the
PH> wiki but still has a long way to go before it's something properly
PH> trustworthy.

Your opinions and expertise are greatly appreciated (and also Tom, Nic,
Stefan, Stephen, and everyone else who has contributed to the threads).

Ted