@xitij2000 thanks, sorry for the delay. This would be a good scheme for ensuring that changes don’t break the installation, and we should talk more about how to get it in place.
But I guess I’m more concerned about the installation starting to fail due to external changes. That is, nothing changed in our repos at all, but now a package isn’t available, or a key has expired, or something like that. We don’t have a way to know that the world changed around us, and we need to adapt. Do you have any thoughts about how we might approach that?