Huh, I didn't know about the Debian rules. But Debian keys and signatures are published to public keyservers too, aren't they? So your trust paths that contain a Debian developer may not guarantee the trustworthiness of the endpoint.
I thought that bootstrapping my trust from one of the Debian developers would make sense, since I already have Debian installed (somewhere you have to start). Looks like it's not that a good idea.
Yeah, a trust path that is end-to-end all Debian developers is fine. And I sometimes know that a certain human (that I don't have a way to meet with in person) is a reasonable human being, so I'll trust a path to that human that consists of Debian people, or other people I personally know to be reasonable human beings.
I thought that bootstrapping my trust from one of the Debian developers would make sense, since I already have Debian installed (somewhere you have to start). Looks like it's not that a good idea.