Thanks.
I saw that some of my concerns were mentioned there about obtaining and verifying installation media, MITM attacks, etc.
I have previously verified installation media via the methods described in the FAQ, downloading GPG keys, etc. and still
had an issue of having aptitude telling me that all available packages are from untrusted sources. (This was some years
ago when I had this issue)
I seem to remember being offered security updates for the kernel, OpenSSL, SSH, etc. where my only option was to download
untrusted packages. I would get warning messages from aptitude about installing security updates.
Maybe there should be written a document that describes in detail in easy to understand language what steps to take to
verify keys and verify that apt has not been compromised in an already installed system. And also verifying that GPG has not
been compromised.
It is the job of the NSA to be able to compromise systems. We should make that task as difficult as possible at every level