[mycroftiv]

Many distributions try to provide some security assurance to users by having packages in the repo cryptographically signed. This makes it harder for naughty people to trick users into installing malicious software. As a relatively small, non-"enterprise" distribution, Arch has not implemented such a system. Some people believe this is a Bad Thing, and recently there has been some controversy about it on mailing lists, which eventually bubbled up into an article on Linux Weekly News. Some Arch developers believe the issue has been portrayed inaccurately, and that a hostile individual has framed the issue unfairly.

[trotsky]

As someone who hasn't ever used arch, I am surprised to find out that they don't sign. The distros I use, RHEL, fedora and openSUSE have pushed all signed packages for quite some time. Clearly debian/ubuntu do as well. FBSD and OBSD also. Even gentoo supports signing of portage source packages, though apparently there is no policy that requires package builders to sign. This would seem to be an argument against rolling your own package manager, at least if you lack the resources to bring it up to industry standards.

Does anyone know of other distros that don't sign their packages?

[cakeface]

RHEL, fedora (RH again) and openSUSE all have paid programmers working on their distro at various companies. Arch does not. I will agree that not having signing is an argument against using pacman the Arch package manager. There are, however, plenty of positive arguments for using pacman. Its a great, reliable, package manager and I'm more comfortable with it than apt-get and yum for sure. If you're interested there are plenty more details in the Arch Wiki.

[16s]

OpenBSD does not sign patches. They do not release binary patches to base, only source, and they are not signed. Go to misc and ask them to sign patches. They'll flame you forever and suggest if you want to be sure the source is from them to buy one of their CDs.