[woliveirajr]

It does matter. Someone could replace his public key with a fake one. Everything that would be encrypted so that only he could see it could end up in wrong hands, because somebody would trust "I'm encrypting using his public key, I can tell anything to that guy", and the bad guy would read it.

[strictnein]

I'm confused how you think transferring the PGP key through secure means would prevent that. It only (mostly) ensures the message you receive is valid.

They could far more easily gain access to his server through a variety of means and upload a different copy of his key than try and do a MITM or whatever. It's not like he's going to notice if the key changes.

What you're proposing is that an intelligence service is going to MITM you and gain access to the journalist's computer or email server to read the messages you may send him? Why? The messages are unencrypted when read on his system and when typed on yours, so there are far easier ways to get at their contents.

[woliveirajr]

His page (http) -> MITM -> page you get with another public key

You write him something -> he doesn't read.

You write him -> emails is intercepted -> he doesn't read it but who intercepted the email reads.

So his computer is never compromised. But his email server (some provider) is.