Currently, with the modified news module (no custom permissions), I explicitly have to grant "admin" privileges to a specific user or group per instance. For our sites, this is acceptable, and personally, I find it cleaner and preferrable to having the unnecessary custom permissions.
But granting "admin" permissions per module instance wouldn't be necessary if we had a "publish" permission which lies somewhere below "admin". Great idea!
Though, what exactly would be the difference between "write", "create", and "publish"? We should have some consistency in the meaning of all permissions across the entire system, as Lars suggests.
The idea of granting privileges to the package *type* as opposed to package instances is intriguing. But I think it might be confusing and complex to implement inheritance from the site node tree as well as from the package type.
