On a related note, with WoT discussions going on elsewhere: wide distribution of your key fingerprint and signature on many hundreds of documents (e.g. email, git commits, ...) can be one means of informally authenticating an individual when they're not in your web of trust and you have no means of securely retrieving a public key.

If a malicious GNU mirror replaced an ease.js tarball and signed it with a key that looks to be mine, and you just downloaded that public key, that'd be useless. But I love to ramble about lots of stuff online, so you can dig into mail archives and see the same key used over and over and see that the other is a forgery.

It's not a substitute for proper keysigning in a web of trust, of course. I might not actually be Mike Gerwitz. He's locked in my basement.