I frankly have a headache after reading through this technical discussion. I would like to understand nonetheless. What is the security threat to my computer if only install application from the official Debian repos ? What is the purpose of signing package then ? Is that not something useful only to third party developers and/or when there is no official repo ? All this to say I really don't see the point of a "GPG-signature like feature" for a distro like Debian (and will gladly plaid my ignorance on the subject).

@zimon

Is there an example of a major distro switching from deb to rpm ?