No no no! Why not download the normal (signed) cabal list from the DHT (and optionally directly from hackage.haskell.org)? These are all the packages that would appear on the website. Why serve any other content? All nodes in the DHT may check and make sure the file (or fragment) being served is properly signed.
Any desire for popularity or tagging capability should be separate.
Because single single hackage private key can be bruteforsed or stolen far easier than lots and lots keys of random people.
+ User maintains list of trusted people's open keys, in order to validate authenticity and see trusted ratings.
This would need further explanation, but in general I'm against requiring user interaction on this level. You choose who's moderating packages for you. Some well-known community moderators and your trusted friends. If no one rated package yet, then you download and rate, so people who trust you can make decision based on your rate. Kind of social network.