Arch Linux User Repository

@cb474 They updated the key for .deb packages just 1 year ago, can you check please? https://blog.spideroak.com/20130920145427-ubuntudebian-apt-repository-gpg-key-update

@coolpyrofreak That blog post that you link to is six years old. The GPG key in that post expired four years ago. It's even more out of date that the GPG key for the .deb files. In any case, it also does not appear in the PKGBUILD for this AUR version of of SpiderOak that the download is being verified with GPG (the sha1sum check does not accomplish the same thing). As I said, as far as I can tell, there are no GPG keys for SpiderOak anymore. I'm emailing them and waiting for a response. In the meantime, in principle, it seems there is no way to know that this install of SpiderOak has not been compromised. If it was something else, I might not be as concerned. But if one is going out of one's way to use the sort of zero knowledge encryption that SpiderOak provides, it really kind of defeats the purpose not to verify the package with GPG.

@cb474 - They sign the RPMs used for this PKGBUILD. Read here: https://blog.spideroak.com/20090219070000-hello-fedora

Isn't it a problem that there are no GPG signatures for this package? SpiderOak used to provide them, at least for the .deb package, but everything about this on their website seems to be out of date now. Without GPG signatures there's no way to verify that the package downloaded from the SpiderOak site is the real package. I love SpiderOak, but it kind of undermines the point of encryption like this.

Updated to 5.1.10.

According to Spideroak's website, the most recent version is 5.1.10 and the version in the AUR fails to build properly.

@ddreamer - Looks like an upstream bug to me. You can email them at support@spideroak.com.

Failed to show trayicon in the updated Archlinux system with cinnamon 2.4.6-1.

Thanks for the info re. the downgrade, by the way. I'd actually already got those links from the forums when I reported the bug.