Have you considered Git as a package manager? I’ve been using git submodules for dependencies and sub-dependencies and combined with free git hosting services, the idea is quite powerful.
Just go into your git project,
git submodule add git://somehosting.com/you/package.git
git submodule init package
git submodule update package
cd package && ./configure --stuff && make && cd ..
To select particular dependency versions,
cd package && git checkout v3.2 && cd .. && git add package/
git commit -am "package version 3.2 pinned" && git push
Now you’ve pinned your package dependency to a particular tag and saved your settings to your project repository. Next time someone does:
git pull && git submodule update
Their package dependency will also be pinned to v3.2.
Some package management systems also feature signed packages. Git allows you to GPG sign your tags and lets people verify it by adding your public key to their keyring.
So we have package downloading, dependency versions and we can emulate “package signing”. One missing part is pre-built binaries which, in my opinion isn’t an absolute necessity. Another missing part is global package management. You will have to manually manage each git repository when a dependency of a dependency gets updated.