[trotsky]

As someone who hasn't ever used arch, I am surprised to find out that they don't sign. The distros I use, RHEL, fedora and openSUSE have pushed all signed packages for quite some time. Clearly debian/ubuntu do as well. FBSD and OBSD also. Even gentoo supports signing of portage source packages, though apparently there is no policy that requires package builders to sign. This would seem to be an argument against rolling your own package manager, at least if you lack the resources to bring it up to industry standards.

Does anyone know of other distros that don't sign their packages?

[cakeface]

RHEL, fedora (RH again) and openSUSE all have paid programmers working on their distro at various companies. Arch does not. I will agree that not having signing is an argument against using pacman the Arch package manager. There are, however, plenty of positive arguments for using pacman. Its a great, reliable, package manager and I'm more comfortable with it than apt-get and yum for sure. If you're interested there are plenty more details in the Arch Wiki.

[16s]

OpenBSD does not sign patches. They do not release binary patches to base, only source, and they are not signed. Go to misc and ask them to sign patches. They'll flame you forever and suggest if you want to be sure the source is from them to buy one of their CDs.