Re: package.el + DVCS for security and convenience

[Stefan Monnier]

>> Stefan has confirmed (I believe) the GNU ELPA maintainers will use a
>> single "GNU ELPA" key to sign package releases.
> Have you given up on having every commit signed?

I haven't even tried to sign a single Bzr commit.  Hell, I use GPG
rarely enough, that I typically end up having to create a new key
because I can't remember the password I used for the last one.

And I worry about what happens if/when we restructure the repository
(currently we have a single Bzr branch with all packages in it (except
for Org), but we'll probably want to move to a setup where more packages
have their own branches, also we may move from Bzr to something else).

And I'm not sure what would be the gain with such signatures: I'm
shocked to hear people would trust me, since I don't trust myself (and
some (former?) friends of mine know I'm not trustworthy).
[ For the record, I work in the context of certified programming, where
you don't want to trust people at all, and instead expect them to give
you a formal proof that their code is safe.  ]

> You are highly skilled at missing the point.
Let's try to stay clear of such ad-hominem, please.


        Stefan