If it were digitally signed so one could be confident it was a "real" package-get-base.el then it'd be reasonable. Actually, it might be nice to add a digital signature to each package entry to allow developers to post a package entry via news or mail and have the packaging system verify it as legit. I don't use digital signatures so I have no idea what code is involved or how seemlessly that can work for most people. I hate the thought of introducing easily exploited trojan horses. Here are some other things I wanted to do with the package stuff and I'm not going to have time to do (besides the user interface): 1. Add a digital signature for the entire package-get-base.el file 2. Add an [optional] digital signature field for each package entry. Both the above should warn the user if they are not verifying the signature. 3. Add a filter to gnus & vm to automatically scarf posted package entries (well, put the filter in package-get.el but make it easy to add to mail/news readers). 4. Allow the "filename" field to be optional. This would allow "meta" packages that cause a bunch of other packages to be downloaded in one fell swoop. (The change has to happen in ``package-get'' so instead of throwing an error it just needs to return at that point.) --pete