I did post this before in November but got no responses. Hopefully this wasn't because the question was so dumb.
------------- My /etc/apt/sources.list contains: deb http://deb.torproject.org/torproject.org lucid main In the "authentication" section of my "software sources" I have a deb.torproject.org archive signing key dated 2009-09-04 with a value 886DDD89. I was looking at the page which explains how to verify signatures for downloads: https://www.torproject.org/docs/verifying-signatures.html.en If one is not directly downloading but using the sources.list file is the "authentication" section adequate to verify the validity of the downloads? Thanks