We might want to leave a little more wiggle room here for different signature methods in the future -- maybe a string type + a dictionary signature? Not too important.

In the long run, everything we can make sign-able probably should be sign-able -- e.g., "description" should be on Version instead of Package as an authority, so the description gets signed? And URI and projects, at least as a primary source, ideally.

The view policy for a signature should probably always be the version view policy?

The edit policy should probably always be only the signer PHID? I don't think it makes sense to disavow other users' signatures, or at least can't come up with a reason to do this.

The only case I can think of is that someone might be signing stuff as "CONFIRMED: THIS SOFTWARE SUCKS LOL" far in the future, but that seems like a whole lot of effort.

I think we should leave a lot more wiggle room than this: basically, have a $properties sort of property instead, and put the type ("git repository") + clone URI + hash in it.

It should be possible to publish a package version which changes the repository origin.

In the future, it should be possible to publish a package version which uses a tarball + checksum or similar.

View/Edit policy here may make sense to lock to the Package policies?

that was my plan (Also for Version so inherit it from Package), but I couldn't figure out how to do it, so I left it for later.