get the deb.torproject.org-keyring package into Debian
For first time torproject.org visitors with no knowledge about gpg and/or no trust path to The Tor Project it's difficult to verify the Tor package signing key.
The advice to download the Tor package signing key from the keyservers with a fingerprint posted from torproject.org is flawed. The first time visitor of torproject.org is already victim of a mitm this won't help. It would only help if the first time visitor won't get mitm'd at his first visit. Only further downloads would be protected.
For this reason it's not best to distribiute the Tor signing key / fingerprint through torproject.org.
Suggestion:
-
Get the deb.torproject.org-keyring into Debian. If you can get it into the Debian keyring - even better.
-
After 1. is done get Tor package signing key shipped by default with Debian.
This would eliminate and ease at least one step from the complicated (from user perspective) steps of gpg verification.
Getting it into Debian is strategic. Many derivatives based on Debian such as Ubuntu will include it as well.