From what I gather, they don't use the trustdb for the reasons we are seeing; instead it looks like they have another keyring named "trusted.gpg" and go forth with the assumption that everything in

Allan and I today, and Denis in the past, noticed some issues with having a shared public key database and locking that gpg wants to do when reading from it. Here is an interesting bit from the apt changelog: apt (0.6.2) experimental; urgency=low * Provide apt-key with a secret keyring and a trustdb, even though we would never use them, because it blows up if it doesn't have them there is to be trusted. -Dan