What it comes down to is you have to trust someone, eventually. You've got to trust your distro and it's installed verion of GPG, or yo've got to trust your own compiled version of GPG, etc. Unless you're savvy enough to download the source code and confirm it's safe, you're stuck trusting someone.
It's sort of a chicken and the egg problem, PGP. A better web of trust would help resolve these issues (I'm probably not that many trusted steps from a Debian developer), but without a better web of trust, it's hard to build a web of trust, if that makes any sense.
And it seems no one does key signing parties any more...
It's sort of a chicken and the egg problem, PGP. A better web of trust would help resolve these issues (I'm probably not that many trusted steps from a Debian developer), but without a better web of trust, it's hard to build a web of trust, if that makes any sense.
And it seems no one does key signing parties any more...