That makes sense. But I only brought up the MELPA example because I
recently encountered a security bug in a MELPA package. There's no reason
ELPA packages can't have similar security bugs (I just don't have an
example of this at the moment), and I figured it might be a good idea to
have some support for making it easier for users to quickly get security
updates for packages, regardless of what repository they're using.

On Sat, Aug 13, 2022, 8:23 PM Richard Stallman <rms@gnu.org> wrote:

> [[[ To any NSA and FBI agents reading my email: please consider    ]]]
> [[[ whether defending the US Constitution against all enemies,     ]]]
> [[[ foreign or domestic, requires you to follow Snowden's example. ]]]
>
> We do not endorse or point to MEPLA, because it doesn't uphold our
> principles of rejecting nonfree software.  So we don't get involved in
> maintaining MELPA.  We have nothing to do with it.
>
> When there is a package that happens to be in MELPA that we want to
> recommend to users, we can put it in NonGNU ELPA.  There, we can give
> it a little emergency maintenance if that seems called for.
>
> --
> Dr Richard Stallman (https://stallman.org)
> Chief GNUisance of the GNU Project (https://gnu.org)
> Founder, Free Software Foundation (https://fsf.org)
> Internet Hall-of-Famer (https://internethalloffame.org)
>
>
>