Comment 31 for bug 125103

> Putting the public key in a package in the PPA would not be very
> useful in bootstrapping, as users would be getting the pubkey from an
> untrusted source.

It would be very useful because most users would then be getting something from an untrusted source only once. Even if it was this easy to install the public key, many users might still just select "yes" for each untrusted package separately instead of getting the key. Maybe the user should be forced to install that package (but that is the matter of another bug thread). It is also lot less likely that there would be someone attacking the user at the arbitrary point in time when the user decides to start using a PPA, than at the time of installing some untrusted single package. In addition this approach does not prevent anyone from getting the keys in another, more secure manner.