we should allow the expert install path to load a RH sig from floppy and checksig the package list to be installed before actually installing them (or at install time, as this may be more reasonable for ftp installs since we need to check the file after it's been copied locally. Yes, this places the burden upon the installing person to get a good sig on a floppy, but for the security paranoid among us, that's the easy part :) The best benefit is that we only need a real RH sig, and then we can "safely" install from any mirror of the RH distro (making sure to check the integrity of the second-stage loader as well, perhaps?) Of course, then beta testers simply need a "beta" and a "real" RH key floppy around (and only if they're paranoid enough to have the installer check). ok, yes, a little buzz-wordy, but one more checkmark on the positive side of RH Linux when useless threads on slashdot get started.
Note that if this is done, you probably want to make it so that an arbitrary number of keys can be checked against for sites which do site-specific package changes