Yeah, but the gnupg binaries and CA list and browser executables and whatnot were validated by the package manager, which came from a install disk validated by older gnupg binaries and CA lists and browser executables and so on...
In the end, the trust chain stretches to files downloaded using Netscape 2 via dialup sometime in the last millennium.
Yeah, the chain might have been broken a few times in the meanwhile. Still, it's better to chain from what you have than to start from scratch every time. The more you do it, the longer the chain stretches. And it takes just one person with an unbroken chain from before the attacker has even been born to sound the alarm.
In the end, the trust chain stretches to files downloaded using Netscape 2 via dialup sometime in the last millennium.
Yeah, the chain might have been broken a few times in the meanwhile. Still, it's better to chain from what you have than to start from scratch every time. The more you do it, the longer the chain stretches. And it takes just one person with an unbroken chain from before the attacker has even been born to sound the alarm.