A poster on slashdot has done some interesting research on whether an ISP that co-operates with the FBI can insert a trojan horse in your Debian machine. He demonstrates that it is easy:
http://slashdot.org/comments.pl?sid=24834&cid=2697504 RedHat uses a PGP signature scheme. What are we doing about it? Alex
