I agree that this should be common knowledge, but the fact is that many
TeX users are barely aware of the need to verify downloads because
99% of the time they use distro packages and App Stores that hide the
details.   Many just want either a "magic recipe" they can follow without
understanding or a way to disable or ignore the checks.

is a decent model that could (not by chance!) be adapted to TeX Live.

Enterprises are now doing supply chain reviews and asking hard
questions about open source repositories.   Use of 3rd party packages
may be restricted (e.g., no binaries --  always build from sources). For
TeX Live this forces users to rely on linux distro packages.   The
future may include requirements for 3rd party audits of practices and
policies of open source archive sites.

Not sure how and in which form we want to add this, but I will think
> about it, and discuss with Karl later on.

The document needs to a) educate users who haven't had to deal with
the details of signed packages, and b) provide a document that can be
referenced during security reviews.  Since users should be thinking about
their own supply chain security, it makes sense for one document that
covers (a) and (b) together.   Some users will ignore most of the contents,
but it is there for those who don't.

