Hi, Steve McIntyre wrote: > It's also contained in the debian-role-keys keyring in the > debian-keyring package: [...] > and the full fingerprint is also on the Debian website using https for > people who would rather trust that.
We users could easily be outsmarted in this aspect, i fear. It's hard to tell whom to trust and how to avoid being spoofed by others. In any case somebody with edit powers should replace in https://www.debian.org/CD/faq/#verify "SHA1" and "MD5" by "SHA512". Just to make this aspect safe for the next few years ... hopefully. Have a nice day :) Thomas
