* Greg Minshall <minsh...@umich.edu> [2020-11-26 08:29]: > Tim, > > > I think you missed my point. There is no benefit in MELPA adopting > > signed packages because there is no formal code review and no vetting > > of the individuals who submit the code. > > it occurs to me there might be one benefit: if George, whom you trust, > says, "I've been running version 1.2.3 of package xYandZ from MELPA and > i have a lot of confidence in it", then if you find that version of that > package with a trusted MELPA signature, you maybe know that you and > George are running the same software. i.e., it helps with the "web of > trust" (if people still talk of that). > > (so, the requirement for this is not audited packages, but a solid, > "secure", release procedure by MELPA.)
Maybe principles from Freenet Web of Trust could be somehow implemented for Emacs users and our discussions. https://www.draketo.de/english/freenet/friendly-communication-with-anonymity