The only safe way is acceptnig keys from people you know don't view pdf using adobe reader, who don't browse the web (neither use flash) etc. And then still you also have to know that their email account password is reasonable strong .. So whatever this thread is about - its only about making it harder to intentionally inject bad code. Also "signed by two people" - how to verify that two accounts/email addresses really belong to different people? - You understand the problem. Anyway - having signed packages is good, because attackers will be slower, they have to build up trust first .. So it will improve the situation a lot. I also would appreciate being able to get hash sums from the 00-index.tar. Then automatic packaging is much easier. Oh - and don't forgett the huge amount of code hackage has today. It may not be feasable to trust - check all code - but having the most used code checked by multiple parties alreday is a great improvement. Marc Weber