Yes, I get the idea about spewing the signed hashes everywhere. The problem I have is with the user of PGP. That will help cypherpunks, but does absolutely nothing for most of our millions of users, who have no idea what PGP is. Perhaps its enough to assume that if anyone is tampering with the distribution, some cypherpunk will stumble across it...
If nothing else, Jeff, it will expose those "millions of users, who have no idea what PGP is" to PGP. And, hopefully, some of those "millions of users" might even take the time to grab PGP and take a look at that, too. In other words, there is nothing to lose (except a little bit of time and effort, and a small amount of storage space) and there is a heck of a lot to gain by including PGP signatures. -derek