Re: you iso's may have been hacked
Thomas Schmitt wrote:
>Steve McIntyre wrote:
>> It's also contained in the debian-role-keys keyring in the
>> debian-keyring package: [...]
>> and the full fingerprint is also on the Debian website using https for
>> people who would rather trust that.
>
>We users could easily be outsmarted in this aspect, i fear.
>It's hard to tell whom to trust and how to avoid being spoofed by others.
>
>In any case somebody with edit powers should replace in
>
> https://www.debian.org/CD/faq/#verify
>
>"SHA1" and "MD5" by "SHA512".
>Just to make this aspect safe for the next few years ... hopefully.
Good point - I've just updated the FAQ to remove mentions of MD5 and
SHA1 and switch to SHA512 and SHA256 instead.
There's work ongoing on the new cleaner/clearer download page, and I'm
hoping to have that live soon-ish.
--
Steve McIntyre, Cambridge, UK. steve@einval.com
Armed with "Valor": "Centurion" represents quality of Discipline,
Honor, Integrity and Loyalty. Now you don't have to be a Caesar to
concord the digital world while feeling safe and proud.
Reply to: