Pointless, reaearchless, shit post. You don't need to sign it to be sure. just look through it? lazy man's problem.
I've made an account just to respond to your problematic comment. I'm not going to respond to the validity of the author's concerns but if you think that someone could look through a package that contains tens/hundreds of thousands of lines of code, and do that for every package they utilize and then every time they upgrade those packages, then you are delusional. Signing/verifying is a very important aspect of infosec, something you have clearly not researched whatsoever.
Read about further update to this. It turns out that package signing actually works but only in a very manual and archaic way.
We're a place where coders share, stay up-to-date and grow their careers.
We strive for transparency and don't collect excess data.