() Eric Abrahamsen <eric@ericabrahamsen.net>
() Wed, 28 May 2014 17:56:09 +0800

   > What do you see for packages installed from archives other than ELPA?

   All installed packages are red and unsigned, and have *nothing* in
   their archive column -- it's not just ELPA, it's also Melpa and
   Marmalade.

   [details]

It sounds like the feature must still be implemented, everywhere.  For
ELPA (i don't know about the others), this would entail an additional
stage for the release flow, at the least.  It will not be enough for a
package to simply bump its version number; the ELPA admin needs to sign
either the package or the entire archive (IIUC package.el), as well.

   I wonder if I should just make a list of installed packages, hose the
   whole thing, and start over...

I did that (w/ only two packages from ELPA) and saw no change, and
suspect you won't, either.  Hmm, i wonder where ELPA, Melpa, Marmalade,
etc. admins/hackers hang out to discuss design and interop.  IRC?  As
Emacs makes a nice root-kit platform, i hope security features for the
package system(s) are high priority for them... am i being realistic?

-- 
Thien-Thi Nguyen
   GPG key: 4C807502
   (if you're human and you know it)
      read my lisp: (responsep (questions 'technical)
                               (not (via 'mailing-list)))
                     => nil