On Aug 11, 2015, at 7:25 PM, Stefan Monnier <monnier@iro.umontreal.ca> wrote:

Even if packages were signed and I could verify all of them, I still don't
think it's the NSA's business which packages I've requested from ELPA.
It would be nice if ELPA were available over TLS to provide both an
additional level of security,

AFAIK you can already use "https://..." addresses.  This should work for
the GNU ELPA server, at least.

Okay, I was sure I'd hit https://elpa.gnu.org and it was a connection error before I posted this bug.  I just did again and it worked, so... I must have been in error.

and to provide an interim solution while we are waiting for
package signing.

All GNU ELPA packages are signed and Emacs-24.5 does check them if you
have GPG installed.

Thanks also for this bit of information.  It should probably require that GPG be installed if package.el is to be used then, but that is a separate issue.

Sorry for the bogus report!