The benefits and limitations of signing an open source package–using a private key to create a unique digital signature–are a surprisingly contentious topic. One of the maintainers associated with the Python Package Index maintainer has a cogent blog post called “Why Package Signing is not the Holy Grail.” This maintainer criticizes those who view signing packages as some sort of “voodoo” that creates “security.” Another open source software developer documented their frustrating experience discovering “how uninterested developers are in software authentication,” the technical name for signing and verifying packages. The developer even titled this piece “Nobody Cares about Signed Gems,” referring to the name used for Ruby packages.