Lisp

Pretty much everyone has given up on signing at this point, I think?

I sign all my packages (and also my release commits and tags) – the infrastructure and tools to support easy and thorough artifact verification may not exist at this point, but I'd rather see us collectively push things in that direction than give up on supply chain security altogether.

Nope. That's never been true. It's always been optional.

Maybe technically optional, but practically not so much – if you wanted to edit any metadata like project description, licenses, etc., you needed a pom.xml template file. The recent :pom-data in 0.9.6 is certainly a step forward.

Build lacks support for adding project descriptions, URLs and licenses to pom files

No, it specifically supports this now.

That's good to hear. It looks like that functionality was only added in 2 weeks ago, though.

it expects that you maintain a pom file in source control

Nope. That's never been true. It's always been optional.

It's possible I misinterpreted Alex Miller's response, but when I asked previously about how to support extra pom data (before :pom-data), that was the answer I was given: "We don't support lots of elements as we can sync from a source pom[. ]So write the pom template with whatever you need and sync that"

Pretty much everyone has given up on signing at this point, I think? Clojars certainly doesn't care any more. In other words, this feels like a straw man / moot argument.

I still sign all my packages. I mean, why not? I already have it all set up. It may be that I'm in the minority, but removing signatures would feel like a step backward.

I'm not sure why you consider this a "straw man / moot argument". Note that I'm not advocating people use Leiningen, I'm just stating the reasons I still use Leiningen.