Apparently there is some confusion in this discussion, regarding what must be passed over trusted channels (not pointing at any particular person). So, to clarify. For the purpose of signature verification, public key material is not required to be taken from a trusted source. The thing to be verified through a trusted route is the fingerprint. Yes, from purely cryptographic PoV this is imperfect: the fingerprint is SHA-1, which no longer provides neccessary security guarantees. A malicious agent may theoretically provide a forged key with a matching fingerprint. But “I believe this website” isn’t a valid cryptographic construct either; instead obtaining signatures is required. So the argument is mostly moot. When talking about obtaining keys based on evaluating trust in non-cryptographic manner, there is little difference in getting a complete key from places you trust, compared to getting a key off anywhere and getting a fingerprint/keyID from the places you trust. Key owners publishing their keys on their/project website is the best way, but — in its absence — just verify the fingerprint. In particular keyservers are not more trusted than AUR. Quite opposite. With keyservers, to you the key uploader is anonymous. On AUR the uploader is pseudonymous or a traceable person.