just brainstorming but if by chance melpa is not signed, i wonder if
there are package managers that kind of kludge security a bit. not
perfection, but try to dtrt. enhancing melpa or bypassing it.
for example, idk the current status of git's sha-1 [?] crypto
brokenness, but packages that use git could perhaps have their shas
compared via multiple routes, or so. maybe only google-level actors
could currently break sha-1 for all i know.
at least you could check that the sha you have is the same lots of
other users have?
are guix or nix debian-like in their signing infrastructure? i am
just thinking out loud here for possible solutions for more security.
comparing multiple routes, using git's history, or a clever trick i
am not thinking of now. does el-get do?
of course i am aware signing is only part of ensuring security,
and melpa does curating, and authors or computers could turn evil, but
where there is a chain that reliably goes back to an author from the
code you dled, it's a pretty good feeling.