One thing we haven't discussed yet is what plans we have for supporting certificate signing packages. As you might recall, OPC has support for signing packages:
Keep in mind, I'm not suggesting we necessarily do this for v1, but we should start talking about it now to flesh out the details. Currently, we plan to follow the community driven moderation approach ala CodePlex and Ruby Gems. But we may want to provide the
ability to have support for verifying signed packages for those who want to sign packages.
The question is, why bother? How would the end-user experience be different? One idea that comes to mind is that NuPack might have a "high security" mode, for lack of a better name, that would prompt to install unsigned packages and install signed
packages without prompting.