Instructions on Ring.cx ask the signing key to be downloaded over HTTP
Issue generated from Tuleap's migration script. Originally submitted by: Emmanuel Lepage Vallee (elv13)
This is vulnerable to MitM attack. From HackerNews:
RaleyField 2 hours ago
wget -O - "http://gpl.savoirfairelinux.net/ring-download/ring.pub.key" | sudo apt-key add -
To spell it out for you, sending keys unauthenticated is scary. Double scary because these folks are writing security software so it ought to be in their motor memory to avoid trivial mitm attacks.