I've made an account just to respond to your problematic comment. I'm not going to respond to the validity of the author's concerns but if you think that someone could look through a package that contains tens/hundreds of thousands of lines of code, and do that for every package they utilize and then every time they upgrade those packages, then you are delusional. Signing/verifying is a very important aspect of infosec, something you have clearly not researched whatsoever.
I've made an account just to respond to your problematic comment. I'm not going to respond to the validity of the author's concerns but if you think that someone could look through a package that contains tens/hundreds of thousands of lines of code, and do that for every package they utilize and then every time they upgrade those packages, then you are delusional. Signing/verifying is a very important aspect of infosec, something you have clearly not researched whatsoever.
Read about further update to this. It turns out that package signing actually works but only in a very manual and archaic way.
Package signing in PIP - It works, in a roundabout sort of way
Prahlad Yeri ・ 3 min read