I think generally the permissions should be used like this:
create allows the user to enter a new item.
write includes create and allows editing of that item.
publish is used where an item needs to be approved before
posting, such as news, or a moderated forum.
Having a publish or moderate privilege allows you to have someone manage a package, but will not allow them to change permissions on it, change parameters, or delete the package instance.