If it were digitally signed so one could be confident it was a "real"
package-get-base.el then it'd be reasonable. Actually, it might be
nice to add a digital signature to each package entry to allow
developers to post a package entry via news or mail and have the
packaging system verify it as legit. I don't use digital signatures
so I have no idea what code is involved or how seemlessly that can
work for most people.
I hate the thought of introducing easily exploited trojan horses.
Here are some other things I wanted to do with the package stuff and
I'm not going to have time to do (besides the user interface):
1. Add a digital signature for the entire package-get-base.el file
2. Add an [optional] digital signature field for each package entry.
Both the above should warn the user if they are not verifying the
signature.
3. Add a filter to gnus & vm to automatically scarf posted package
entries (well, put the filter in package-get.el but make it easy to
add to mail/news readers).
4. Allow the "filename" field to be optional. This would allow "meta"
packages that cause a bunch of other packages to be downloaded in
one fell swoop. (The change has to happen in ``package-get'' so
instead of throwing an error it just needs to return at that point.)
--pete