The best way to stay up to date on Cucumber Linux security updates and advisories is to subscribe to our security mailing list, firstname.lastname@example.org. Security updates are also posted in the changelog.
Starting with the second alpha, all packages for Cucumber Linux are cryptographically signed. The Cucumber public key comes with the pickle package, so you can find it on any Cucumber installation under /etc/pickle.d/keys/cucumber.gpg.
Imortant Note About PGP Signatures
If you want to verify the signatures on the mailing list messages, make sure to only check the signature agains the original message body. Sourceforge has a tendency to add their own footer to messages, which interferes with signature verification. This footer should be ignored when verifying signatures.
Thanks to the friendly folks at sourceforge.net for hosting the Cucumber Linux project!