Re: package.el + DVCS for security and convenience

[Ted Zlatanov]

On Thu, 03 Jan 2013 11:41:10 -0500 Stefan Monnier <address@hidden> wrote: 

SM> The important thing is that GPG can always be installed, so if the user
SM> cares about checking integrity, she can install GPG.

OK, we're using GPG as you described.

Now, since everyone but Xue Fuqiao has told me that tying package.el to
the DVCS is a bad idea, we need to decide how these signatures will be
stored in the ELPA, and how they can fit into the existing ELPA
structure.  Nic Ferrier's proposal of a "key package" seems workable;
that package can be signed with the GNU ELPA maintainer's public key to
bootstrap the rest of the process.

I asked Tom Tromey and Phil Hagelberg for suggestions but haven't heard
back yet.  I'd like to get their take and yours before jumping to the
coding stage.

Ted