>> DEBs, on the other hand, are really nothing more than ar archives with
>> two files in them: control.tar.gz and data.tar.gz. The control tarball
>> contains the various shell scripts to be run for pre/post
>> installation/removal, while data.tar.gz contains the actual
>> installation files.
>
> That is very interesting.  I like the way that they used other formats.
> But: How do Debain files handle PGP signatures?  Can they be embedded?
> What about subpackages?

Why of course.  You can embed PGP signatures into the packages.(see note) 
Unfortunately somethings in Debian move slowly (like change).  So why the
capability is there, it is not common practice at this time to actually
use the functionality.

Uploads are signed by the maintainer to very its really from whom it says
it is, but not inline package signature.

At least that is my  understanding.

-Derek

**NOTE**
There is a debsigs package that supports signing debs.
Description: applies cryptographic signatures to Debian packages debsigs
is a package that allows GPG signatures to be embedded inside Debian
packages.  These signatures can later be verified by package retrieval and
installation tools to ensure the authenticity of the contents of the
package.
Of course there is a package debsigs-verify which verifies pakages as they
are installed.
**END NOTE**