Fedora uses GPG-keys for signing RPM packages and ISO checksum files. They list the keys in use (including fingerprints) on a web page. The web page is delivered via https.

For example the checksum file for Fedora-16-i386-DVD.iso is signed with key A82BA4B7 . Checking who signed the public key results in a disappointing listing:

Type bits/keyID cr. time exp time key expir pub 4096R/A82BA4B7 2011-07-25 uid Fedora (16) sig sig3 A82BA4B7 2011-07-25 __________ __________ [selfsig]

It seems that nobody from the Fedora community has signed these important keys!

Why? ;) (Why doesn't Fedora use a web of trust?) Or am I missing something?

Compare this e.g. with Debian - their current automatic ftp signing key 473041FA is signed by 7 developers.

Edit: Why does this stuff matter?

Having such an important key signed by real people (currently it is not signed by anyone!) established a certain level of confidence that it is the real key and not one created by an attacker just uploaded 5 minutes ago to the web-server. This level of confidence or trust requires that you can trace signing relations in a web of trust (to people you are already trusting). And the probability you are being able to do so is increasing when different people sign it (currently the probability is zero).