Re: is melpa just unsigned?

[Samuel Wales]

thank you to all.

iiuc, these are my quick and tentative impressions/conclusions:

- compared to e.g. debian, security is probably not widely considered
a top priority in most of emacs community atm
- big array of interesting pm options, both inside [pms, paradox] and
outside [guix, nix, debian] of emacs
- repos: i have chosen gnu elpa, non-gnu elpa, and package.el for now.
they are signed.  they are simple.
- i would add elpa devel and nongnu elpa devel, but updating  with U
for some reason updates to those even when repo priorities are set
with those lower priority than elpa and nongnu elpa
- i don't really know much about non-gnu elpa or the devel repos
- for other packages, idk.  git clone from repo or so?  idk.
- i typically update packages every few years
- answer to q is: melpa, not even package list, is probably not signed?
- melpa probably isn't for me as i don't need its recency and would
prefer signing or so.  i like the vetting.
- idk if quelpa, elpaca, etc. are for me; might or might not be; same
with guix and nix.  cannot investigate.
- relying on debian might impede portability
- probably no package / pm uses clever hacks to improve security or
help user vet code or provenance
- emacs wiki anybody can edit as a repo is a bit too radical for my taste
- emacs mirror idk much about but maybe a pm can fetch, keeping the
points of faiure to just one repo or so idk

-- 
The Kafka Pandemic

A blog about science, health, human rights, and misopathy:
https://thekafkapandemic.blogspot.com