Currently, any package can be uploaded to the repository, without verification of whom that uploaded the compiled tarballs. Is it possible that instead of submitting compiled tarballs into the site, there is an upload script that resides on the user's machine that hashes and signs the signature of that package before uploading to the site? During the download phase, the tarball containing the signed hash can be used to verify the integrity of the tarball and at the same time provide authenticity about the person who uploaded it. Knowing that pki itself is a complicated thing, and not every developer wants to deal with maintaining private keys, still, the upload script could hide the details of key submission to a keyserver, while the download script could verify good signatures on the downloaded packages. This would help in following the provenance of the tarball.