On Sat, Dec 22, 2012 at 8:20 AM, Stefan Monnier <monnier@iro.umontreal.ca>wrote:

> > I also think `M-x list-packages' should define a `v' shortcut to
> file-find
> > the .el file or tarball that constitutes the package without installing
> > it.  That will contribute to security and it's really convenient, too.
>
> Actually, "installation" has several steps:
> - download.
> - install per se (i.e. copies the files at an appropriate place).
> - compile.
> - setup (i.e. arrange things such that the package is in the load-path
>   and its autoloads are active next time to start Emacs).
>
> The first two steps can be made to be safe.
>
>
>         Stefan
>
>

Hullo,

I would like to humbly provide some ideas here:

- In general, GNU is trusted (after all, we download our emacs from the
GNU). This would imply to me that the GNU can GPG sign packages with a
private/public key (Perhaps the precursor to this is emacs having a gpg
implementation included).

- Then perhaps other repositories, such as marmalade could also sign their
packages, and users could choose to trust that signature or not.

- Of course, this is analogous to the Debian/Launchpad/PPA approach, which
has worked excellently for me and others. It may require quite a great deal
of infrastructure work which I am entirely unfamiliar with.

Regards,
Paul