I consider WEB of trust as a failed initiative (search for SKS key poisoning mass occurred in 2019).
PGP is used to sign software in source (commits / tags in Git/Mercirual) & binary (compiled artifacts) forms.
Currently when I download software from the Internet I usually rely on PGP keys (Debian / Cygwin / etc package providers). It is the keys I only trust.
Unfortunately getting the keys for the first time is a dangerous process. I visit HTTPS page and have to trust what is written on the HTML page (key fingerprints and links for .asc
file downloads).
I wonder why major package providers don't cross sign their PGP keys... For example, I have set of Debian keys that I trust for 15 years: it would be cool if they sign Alpine or RedHot keys! Why don't we have such beneficial cross signing (small WoT for really important keys)?