Comment 14 for bug 1013681

Whilst poking all of this a while back, my thought was to use inline signed keyring snippet which is downloaded probably with the apt-helper, validated (well gpgv decrypt) and stored as /etc/apt/trusted.gpg.d/netupdate.gpg. Since we no longer need to touch /etc/apt/trusted.gpg keyring. This doesn't even need to live in apt-key netupdate, and could be just a timer unit. But i guess having this simple logic in apt-key script may make sense.

Note that netupdate has been disabled for a long while now, thus any reintroduction will need security team review before we enable.