Hi Daniel, Thanks very much for the reply. I fully agree that the verifying of git tags by MELPA would be valuable (and rather important from a security perspective), and will bring it up. BTW, is the GitHub mirror https://github.com/notmuch/notmuch/ mentioned in README.rst, semi-official in the sense of being likely to be up to date? If, yes, it could be used as a stopgap intermediary "source" for MELPA, until https transport is possible with the main notmuch repository or MELPA supports verifying signed git tags. Thanks again, Adam _______________________________________________ notmuch mailing list notmuch@notmuchmail.org https://notmuchmail.org/mailman/listinfo/notmuch