[cookiecaper]

This is pretty scary now that CM has started to do OTA updates again. What server is that mechanism checking and trusting? Is there any cryptographic verification for update packages? Whose keys are used (the keys of the bad dude?)?

[BHSPitMonkey]

This is definitely important to find out in the wake of this incident, and I'm anxious to learn the answers myself. That said, CyanogenMod distributes its builds through a separate dedicated site [1] that appears to be unaffected.

[1] http://get.cm/