Hello, on the page https://www.debian.org/CD/verify.en.html, the explanation is more based on MD5 than on better checksum algorithms. I think it would be better to talk about SHA512 for default example and MD5 as fallback only. I made a patch for that (see attachment). I removed the reference for SHA-1 because there are theoretical collisions and I remember there is a removal of the use inside Debian for signatures (but I don't remember exactly if it's for the iso signatures.) - Do you see improvements? - Should I re-add SHA-1 ? With MD5, to group them in weak algorithms? If it's ok, I will commit the patch in few days. Regards -- Stéphane
Index: english/CD/verify.wml =================================================================== RCS file: /cvs/webwml/webwml/english/CD/verify.wml,v retrieving revision 1.3 diff -u -w -r1.3 verify.wml --- english/CD/verify.wml 1 Nov 2015 15:56:22 -0000 1.3 +++ english/CD/verify.wml 25 Sep 2016 14:36:39 -0000 @@ -15,18 +15,18 @@ <p> To validate the contents of a CD image, just be sure to use the appropriate checksum tool. -For older archived CD releases, only MD5 checksums were generated in -the <code>MD5SUMS</code> files; you should use the tool -<code>md5sum</code> to work with these. -For newer releases, newer and cryptographically stronger checksum -algorithms (SHA1, SHA256 and SHA512) are used, and there are equivalent -tools available to work with these. +For recent releases, cryptographically strong checksum +algorithms (SHA256 and SHA512) are used; you should use the tools +<code>sha256sum</code> or <code>sha512sum</code> to work with these. +For older archived CD releases, if only MD5 checksums were generated in +the <code>MD5SUMS</code> files, you should use the tool +<code>md5sum</code>. </p> <p> To ensure that the checksums files themselves are correct, use GnuPG to verify them against the accompanying signature files (e.g. -<code>MD5SSUMS.sign</code>). +<code>SHA512SUMS.sign</code>). The keys used for these signatures are all in the <a href="http://keyring.debian.org">Debian GPG keyring</a> and the best way to check them is to use that keyring to validate via the web of
Attachment:
signature.asc
Description: OpenPGP digital signature