@luis_in_brief Sure, PGP isn't the be-all and end-all these days, but an optional centrally managed signing service doesn't seem that great either. Looking into it more, it's more the developer's fault for blindly trusting code from a CDN (which is a pretty nifty attack vector). Just trying to link it back to the "security is hard, let's not worry" attitude that you are against.