I am concerned about support for signed packages. By default, this red-carpet does not check, nor was its package signed. You must edit /etc/ximian/rcd.conf (add 'require-signatures=true') to enable, but even then (at least on my system) red-carpet seems to ignore signature check failures.
On installs of signed packages, rug reports something like, 'Unable to verify package signature for [..]; package will be installed because user is trusted'. On installs of unsigned packages, it reports something like, 'There is no package signature for [..]; package will be installed because user is trusted'.
What does this actually mean, and am I the only one seeing it? Who is being trusted?