Thomas Schmitt wrote: >Steve McIntyre wrote: >> It's also contained in the debian-role-keys keyring in the >> debian-keyring package: [...] >> and the full fingerprint is also on the Debian website using https for >> people who would rather trust that. > >We users could easily be outsmarted in this aspect, i fear. >It's hard to tell whom to trust and how to avoid being spoofed by others. > >In any case somebody with edit powers should replace in > > https://www.debian.org/CD/faq/#verify > >"SHA1" and "MD5" by "SHA512". >Just to make this aspect safe for the next few years ... hopefully.
Good point - I've just updated the FAQ to remove mentions of MD5 and SHA1 and switch to SHA512 and SHA256 instead. There's work ongoing on the new cleaner/clearer download page, and I'm hoping to have that live soon-ish. -- Steve McIntyre, Cambridge, UK. st...@einval.com Armed with "Valor": "Centurion" represents quality of Discipline, Honor, Integrity and Loyalty. Now you don't have to be a Caesar to concord the digital world while feeling safe and proud.