<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
  <head>

    <meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
  </head>
  <body text="#000000" bgcolor="#ffffff">
    <font color="#000000"><font face="Helvetica, Arial, sans-serif">I
        did post this before in November but got no responses.&nbsp;
        Hopefully this wasn't because the question was so dumb. <br>
        <br>
        -------------<br>
        <br>
        My /etc/apt/sources.list contains:<br>
        <br>
        deb <a rel="nofollow" class="moz-txt-link-freetext"
          href="http://deb.torproject.org/torproject.org">http://deb.torproject.org/torproject.org</a>
        lucid&nbsp; main<br>
        <br>
        In the "authentication" section of my "software sources" I have
        a deb.torproject.org archive signing key dated 2009-09-04 with a
        value 886DDD89.&nbsp; <br>
        <br>
        I was looking at the page which explains how to verify
        signatures for downloads: <a rel="nofollow"
          class="moz-txt-link-freetext"
          href="https://www.torproject.org/docs/verifying-signatures.html.en">https://www.torproject.org/docs/verifying-signatures.html.en</a><br>
        <br>
        If one is not directly downloading but using the sources.list
        file is the "authentication" section adequate to verify the
        validity of the downloads?<br>
        <br>
        Thanks</font></font>
  </body>
</html>