[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Using sha512 checksum for default in CD/verify page

Hello,

on the page https://www.debian.org/CD/verify.en.html, the explanation is
more based on MD5 than on better checksum algorithms. I think it would
be better to talk about SHA512 for default example and MD5 as fallback only.

I made a patch for that (see attachment).

I removed the reference for SHA-1 because there are theoretical
collisions and I remember there is a removal of the use inside Debian
for signatures (but I don't remember exactly if it's for the iso
signatures.)

- Do you see improvements?
- Should I re-add SHA-1 ? With MD5, to group them in weak algorithms?

If it's ok, I will commit the patch in few days.


Regards
-- 
Stéphane

Index: english/CD/verify.wml
===================================================================
RCS file: /cvs/webwml/webwml/english/CD/verify.wml,v
retrieving revision 1.3
diff -u -w -r1.3 verify.wml
--- english/CD/verify.wml	1 Nov 2015 15:56:22 -0000	1.3
+++ english/CD/verify.wml	25 Sep 2016 14:36:39 -0000
@@ -15,18 +15,18 @@
 <p>
 To validate the contents of a CD image, just be sure to use the
 appropriate checksum tool.
-For older archived CD releases, only MD5 checksums were generated in
-the <code>MD5SUMS</code> files; you should use the tool
-<code>md5sum</code> to work with these.
-For newer releases, newer and cryptographically stronger checksum
-algorithms (SHA1, SHA256 and SHA512) are used, and there are equivalent
-tools available to work with these.
+For recent releases, cryptographically strong checksum
+algorithms (SHA256 and SHA512) are used; you should use the tools
+<code>sha256sum</code> or <code>sha512sum</code> to work with these.
+For older archived CD releases, if only MD5 checksums were generated in
+the <code>MD5SUMS</code> files, you should use the tool
+<code>md5sum</code>.
 </p>
 
 <p>
 To ensure that the checksums files themselves are correct, use GnuPG to
 verify them against the accompanying signature files (e.g.
-<code>MD5SSUMS.sign</code>).
+<code>SHA512SUMS.sign</code>).
 The keys used for these signatures are all in the <a
 href="http://keyring.debian.org";>Debian GPG keyring</a> and the best
 way to check them is to use that keyring to validate via the web of

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: