I'm no expert on any of this, but from the descriptions given so far on this mailing list, I think you have oversimplified the differences here.
GPG secures documents, not interactions. SSL secures interactions, not documents
Yes.
Hackage is an interaction not a document.
Hackage is an interaction /over/ documents.
Therefore, SSL can secure Hackage, but GPG can't.
Wrong. SSL can secure the transport layer of document transmission, but does nothing towards authenticating the documents themselves. Garbage is still garbage, even if it is sent securely. GPG authenticates the documents, which means it does not matter whether the transport layer is secure or not - I can still be sure the document is uncompromised.
GPG requires authors to learn GPG and attend key signing parties. SSL requires authors to learn nothing. Therefore, SSL is easier for authors.
Provided the author doesn't mind an attacker replacing their package with a compromised one, with no immediate means of detection, and no easy way to alert users when the intrusion is detected. Regards, Malcolm