While valid, this is an extremely user hostile response. Requiring administrators to dig up release notes and hoping they actually have your gpg key and know what to do with it is essentially giving the middle finger to admins that don't understand crypto well.
Not really, because admins that don't bother to read release notes or to verify GPG keys should probably be using package management systems maintained by those who do.
That would be fine if there were never a case where a package management system fell out of date due to a package maintainer not staying on top of things.
