The single most beneficial change would be adoption of The Update Framework, since it is resilient against all known issues with remote package management, regardless of pkg signers coming/going and whether HTTPS is used or not. It also has a nice protocol for handling key revocation.