2017-04-06 15:04:29 UTC
weaker for the org-mode packages than for all other:
All GNU ELPA packages, except for org-mode, are generated by
elpa.gnu.org from an elpa.git checkout (via https, not sure if Git
checks the key), whereas the org-mode package is downloaded from
So the org-mode package has weaker points:
- uses http rather than https.
- downloaded from a machine that's further (well, not absolutely sure,
but I assume that elpa.gnu.org and git.sv.gnu.org are near each other).
Maybe we should consider some way to take the org packages from
http://orgmode.org/elpa, and push them to elpa.git. This way even if
this transfer from orgmode.org to elpa.git suffers from the same risks,
the resulting patch would be sent to elpa-diffs, so it would be exposed
for review (how much review it would really get is clearly debatable,