On 6 Mar 2012, at 21:17, Donald Curtis wrote: I was talking in #emacs today and realized that because EmacsWIKI has no authentication method, anyone could put in some very bad elisp to one of the packages that we package from EmacsWIKI. Sure, for the most part we believe everyone is trustworthy, but there is no validation or verification from our end. So as a rule I am migrating some of the EL packages to personal git repositories with a small script to update them periodically. I feel like this is a better approach and something I hadn't thought about.
Yeah, that's indeed a potential concern. I've been through all the same loops, from el-get to a home-rolled periodic-downloading solution like yours, and finally figured I just wanted everything in ELPA packages. The installed code is just as risky, but I gain in terms of installation convenience. I doubt anyone expects an ELPA archive to vouch for the safety of every package it hosts.
Now, one approach would be to have a separate repo for emacswi