In fairness, at the moment my python-bitcoinlib library isn't PGP signed for most users because PyPi made the idiotic decision to phase out PGP signatures. But my hands are tied on that; the entire software industry is incompetent.
10 years after I pointed out the risk of a Ripple backdoor due to Ripple not PGP signing their software or providing any other way to get it securely... there's a a Ripple backdoor due to an npm compromise. 😂
https://github.com/petertodd/ripple-consensus-analysis-paper/blob/master/paper.pdf
Discussion
What are the chances these are actually intentional bugs created and inserted into boring and ubiquitous software libraries by NSA agents. We know this is a thing they actually (and proudly) do.