Stephen> Pete> When I originally wrote the code, one thing I was concerned Pete> about was XEmacs being easily exploited for trojan horse Pete> attacks. Stephen> Stephen> Good. I disagree with Greg Klandermann here; you need to cater to the Stephen> _most_ paranoid among us, not the _least_. I didn't mean to suggest that we should only have an insecure method but rather that we not be required to use a secure method. From what Pete wrote I was imagining a mechanism where the package-get-base.el was encrypted and completely useless unless I'd installed PGP, etc. Your suggestion for something that works even if you don't have PGP, and incurs no pain to check the signature if you do is ideal. Now we just need someone to implement it. So is something like the following reasonable: On entry to any of the package update code, if we haven't loaded an up-to-date package-get-base.el * find-file-noselect /ftp.xemacs.org:/pub/xemacs/packages/package-get-base.el.current (location should be customizable for those behind firewalls, but it sure would be nice if it were in a fixed location so this is completely automatic for those on the net with EFS) * check the signature if you have PGP, otherwise warn the user and ask if they want to continue. i guess this means you have to have previously grabbed the XEmacs public key? * eval the buffer. * kill the buffer. greg