This one.
Used to suggest
SigLevel = Optional DatabaseNever
But has since been edited to suggest
SigLevel = Required DatabaseNever
But there are still an untold number of threads and users with the suggestion in one way or another to disable the signatures.
Such as here:
I just meant that anyone who has followed such advice or for whatever reason has lesser SigLevel options applied would be vulnerable to an exploited mirror.
For a while at least one of the most common responses to ‘Trouble syncing packages, errors about keys’ on the forums was to augment the SigLevel options to something more permissive. That always meant lesser security, but this news makes a tangible argument for why not to.