Re: Security issues in Emacs packages

[Greg Minshall]

Tim,

> I think you missed my point. There is no benefit in MELPA adopting
> signed packages because there is no formal code review and no vetting
> of the individuals who submit the code.

it occurs to me there might be one benefit: if George, whom you trust,
says, "I've been running version 1.2.3 of package xYandZ from MELPA and
i have a lot of confidence in it", then if you find that version of that
package with a trusted MELPA signature, you maybe know that you and
George are running the same software.  i.e., it helps with the "web of
trust" (if people still talk of that).

(so, the requirement for this is not audited packages, but a solid,
"secure", release procedure by MELPA.)

cheers, Greg