Re: package.el + DVCS for security and convenience

[Stephen J. Turnbull]

Ted Zlatanov writes:

 > I'm actually suggesting that the GNU ELPA maintainers (note the "GNU
 > ELPA" part here, this is not any ELPA maintainer) should review and sign
 > *every* commit to the GNU ELPA.

I have no idea what you think you're proposing.  Security reviews are
expensive; I doubt you'll have anybody willing to maintain GNU ELPA
after a couple of months of that, unless you pay handsomely, or you
enlist a maintainer per package or so to reduce the burden on
individual maintainers to a manageable level.  The obvious candidates
for the latter are the authors.

If they are not security reviews, what's the point of reviewing at
all?  You just want signed commits, verifying that the commit was
actually received at the GNU ELPA.  AFAICS this can be done by a bot,
which checks the authors' signatures on the commits.