Thanks for taking this subject serious.
HTTPS is going to make it harder for man-in-the-middle shenanigans, but that is only part of the path "from the developer to the user."
One also has to consider whether the project's servers have been tampered with - which tends to be the much more common attack (both
Debian and RedHat / Fedora have experiences with this).
I totally agree, but from my position as an end user I can only start by raising the issues I can observe because I am confronted with them. I don't know the security policies for debian/fedora developers if those even exist or whether they are being executed properly. I can only raise a point and draw my conclusions from how serious it is being taken to assess the general trust I decide to put in a certain product.
One thing I don't like about Fedora's documentation is blindly getting their signing key from their own server and trusting that key.
Hmm, I see your point, that is strange because on
this page, one link down they actually point to
keys.gnupg.net which is where I got the key. I suppose they just choose https, as the basis of their security, which obviously only protects the transporting. The key is signed by two other keys though but verification suffers from the same limitation as with debian of course.
Also - I think this bears repeating since it seems to be overlooked in the above list. Debian does provide SHA1, SHA256, and SHA512 hashes as well as MD5 (all signed).
That is true and good, but
these instructions only speak about md5, which means that the other hashes are probably only used by people who know why not use md5.