Worth noting that a GPG signature is of limited (though not zero) use if the signing key doesn't have any signatures. In this respect, Debian contrasted favourably with Fedora the last time I looked.
True, but for both of them you already might be able to get the proper key through a trusted channel. Fedora has the keyrings for at least Arch, Debian and Ubuntu (besides its own ones, naturally) in its RPM repos, so Fedora users can get them in a secure manner. Debian also has at least the Ubuntu keys included in the repos.
Fedora's own key is also available over HTTPS so you get at least some assurance when bootstrapping.
Fedora's own key is also available over HTTPS so you get at least some assurance when bootstrapping.