1. 4
  1.  

  2. [Comment removed by author]

    1. 2

      A package archive with signed packages would probably be better.

      That takes significant infrastructure and community buy-in, though.