Hacker News new | comments | show | ask | jobs | submit login

Wow, that's a good point. I'm going to pull the stuff I use directly into my dotfiles repo.

Again, that's why we want to add signatures to packages. This is probably always going to be a two tier system though (some people are likely to not add a signature). There are other possible security systems as well, like MELPA could use github and say "yes, this package is authorative from there".

hits the stop button on a stopwatch

And now people realize why I'm a luddite and just keep all my dependencies rolled into my dotfiles repo directly and have done so for years.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact