@Marc Knaup That was a question we wrestled with in the Clojure community (with our own
clojars.org repository). The original idea was that artifacts would have two states: regular and "promoted", and the latter would only be allowed if they were signed. The theory was that Clojurians would exchange public keys to create a "web of trust" so that we could use "promoted" artifacts and check that they'd been signed by "known parties". In reality, not enough people felt the additional hassle of signing-and-sharing was worthwhile and the repository dropped the idea of promoted artifacts. A lot of people publish artifacts there without signing them now, because the hassle isn't worth it (and most Clojure JAR files are source anyway because it's compile-on-demand). TL;DR: signing really
doesn't make things more secure if there's no verified "web of trust".