Use narrowly-scoped signing keys in instructions for using torproject apt repository
https://2019.www.torproject.org/docs/debian.html.en engages in a number of suboptimal practices. In particular, it should not encourage users to use apt-key add
with an OpenPGP certificate that is not expected to certify all repositories on the machine.
See https://wiki.debian.org/DebianRepository/UseThirdParty for reasonable guidance on setting up third party APT repositories.
(at the very least: place the key someplace like /usr/local/share/keyrings/tor-project-arhcive.gpg
and then use a signed-by
directive in the apt repository configuration)