> As long as we upload packages via plain HTTP, signing won't help though. I don't think that's true? If the package is tampered with, then the signature will be invalid; if the signature is also forged, then the private key is compromised and we can blacklist it. We care only about integrity, not secrecy. Edward