My /etc/apt/sources.list contains:
deb http://deb.torproject.org/torproject.org karmic main
In the "authentication" section of my "software sources" I have a deb.torproject.org archive signing key dated 2009-09-04 with a value 886DDD89.
I was looking at the page which explains how to verify signatures for downloads: https://www.torproject.org/docs/verifying-signatures.html.en
If one is not directly downloading but using the sources.list file is the "authentication" section adequate to verify the validity of the downloads?