OK, you've expressed this point many times now but no one has actually done anything to make updating package-get-base any easier. If it's difficult for us, how will it seem for users? Personally I'm not that worried about someone intercepting my ftp to xemacs.org, I'd just like to have it not be a pain in the ass every time I want to upgrade my packages. Currently we're very close with Darryl's excellent pui-list-packages, we just need a way to get package-get-base. Email/news works here on xemacs-beta (if the entire thing gets sent and I can just hit C-x C-e, or there are commands to easily snarf new entries) but we can't require our users to read comp.emacs.xemacs. It needs to be automatic. greg Pete> Pete> greg(a)alphatech.com (Greg Klanderman) writes: Pete> Pete> When I originally wrote the code, one thing I was concerned about was Pete> XEmacs being easily exploited for trojan horse attacks. In Pete> particular, a talented hacker could intercept ftp requests to Pete> ftp.xemacs.org and substitude their own versions of packages -- hence Pete> the md5 checksum for each package. But then the problem becomes Pete> grabing package-get-base.el -- if that gets intercepted then there is Pete> a problem. Bogus md5sum's can be substituted, host names Pete> changed, package locations, etc. Pete> Pete> I pictured two distribution methods for package-get-base.el. It Pete> either gets sent with the entire distribution (which are signed). If Pete> that is corrupted, well you have bigger problems anyway. The second Pete> was a periodic posting to a newsgroup/mailing list. Presumably, such Pete> an article would be PGP signed and could be verified as being from the Pete> poster. Pete> Pete> Automatic access to package-get-base.el is dangerous. Pete> Pete> --pete Pete>