Typosquatting and package signatures are separate issues. Package signing only prevents typosquatting insofar as either the user or some intermediate layer resolves the typo to the intended package. If someone was going to this effort, they'd probably go to the effort of double-checking the package name before installation anyway.
PyPi needs moderators to sit in the middle and remove anything that is obviously malicious, whether the packages are signed or not. Bad guys can sign packages just as easily as good guys.
Software should also be used to correct likely typos, perhaps including checking against a blacklist of known-bad package hashes, before the package is installed.
Yes, these approaches are imperfect, but they are better than doing nothing. "Perfect is the enemy of good".
I'm suggesting that whoever currently has admin rights on the PyPi packaging servers, and it's someone, take responsibility for this and physically remove the typosquatting libs from the lookup mechanism. "We need donations before we can do that" doesn't pass muster as far as I'm concerned; leaving this unaddressed is an existential issue for PyPI.
There are already privately-maintained repositories and that's great, but IMO it's not an excuse for PyPi to leave this vulnerability open.
PyPi needs moderators to sit in the middle and remove anything that is obviously malicious, whether the packages are signed or not. Bad guys can sign packages just as easily as good guys.
Software should also be used to correct likely typos, perhaps including checking against a blacklist of known-bad package hashes, before the package is installed.
Yes, these approaches are imperfect, but they are better than doing nothing. "Perfect is the enemy of good".