That's for developers. But if I'm a user of Debian and I download and install the ISO, I am not part of the web of trust. I'm trusting Debian as a central authority to ship me a valid keyring.
Which is fine; the centralization here makes sense, for the same reason I trust Microsoft to give me Windows updates or McDonalds to give me fries and burgers. But it's no more "web of trust" than either of those examples.
Which is fine; the centralization here makes sense, for the same reason I trust Microsoft to give me Windows updates or McDonalds to give me fries and burgers. But it's no more "web of trust" than either of those examples.