> On Aug 11, 2015, at 7:25 PM, Stefan Monnier <monnier@iro.umontreal.ca> wrote:
> 
>> Even if packages were signed and I could verify all of them, I still don't
>> think it's the NSA's business which packages I've requested from ELPA.
>> It would be nice if ELPA were available over TLS to provide both an
>> additional level of security,
> 
> AFAIK you can already use "https://..." addresses.  This should work for
> the GNU ELPA server, at least.

Okay, I was sure I'd hit https://elpa.gnu.org and it was a connection error before I posted this bug.  I just did again and it worked, so... I must have been in error.

>> and to provide an interim solution while we are waiting for
>> package signing.
> 
> All GNU ELPA packages are signed and Emacs-24.5 does check them if you
> have GPG installed.

Thanks also for this bit of information.  It should probably require that GPG be installed if package.el is to be used then, but that is a separate issue.

Sorry for the bogus report!