PyPI being untrustworthy without lockfiles, which are pretty much impossible
to review because of binary wheels and even then would take more maintenance
than regular distro packaging where indirect dependencies are already managed.