Re: you iso's may have been hacked

To: scdbackup@gmx.net
Cc: debian-user@lists.debian.org
Subject: Re: you iso's may have been hacked
From: Steve McIntyre <steve@einval.com>
Date: Wed, 10 Aug 2016 16:03:51 +0100
Message-id: <[🔎] E1bXV2t-0004Mm-2Y@mail.einval.com>
In-reply-to: <[🔎] 5501588124996356874@scdbackup.webframe.org>
References: <[🔎] E1bXSuY-0007yG-8t@mail.einval.com> <[🔎] E1bXSuY-0007yG-8t@mail.einval.com>

Thomas Schmitt wrote:
>Steve McIntyre wrote:
>> It's also contained in the debian-role-keys keyring in the
>> debian-keyring package: [...]
>> and the full fingerprint is also on the Debian website using https for
>> people who would rather trust that.
>
>We users could easily be outsmarted in this aspect, i fear.
>It's hard to tell whom to trust and how to avoid being spoofed by others.
>
>In any case somebody with edit powers should replace in
>
>  https://www.debian.org/CD/faq/#verify
>
>"SHA1" and "MD5" by "SHA512".
>Just to make this aspect safe for the next few years ... hopefully.

Good point - I've just updated the FAQ to remove mentions of MD5 and
SHA1 and switch to SHA512 and SHA256 instead.

There's work ongoing on the new cleaner/clearer download page, and I'm
hoping to have that live soon-ish.

-- 
Steve McIntyre, Cambridge, UK.                                steve@einval.com
  Armed with "Valor": "Centurion" represents quality of Discipline,
  Honor, Integrity and Loyalty. Now you don't have to be a Caesar to
  concord the digital world while feeling safe and proud.

Reply to:

References:
- Re: you iso's may have been hacked
  - From: Steve McIntyre <steve@einval.com>
- Re: you iso's may have been hacked
  - From: "Thomas Schmitt" <scdbackup@gmx.net>

Prev by Date: Re: 2 attempts failed: 1) cmp; 2) /home/a/scripts/check_debian_iso
Next by Date: iso hacked suspicious: answers
Previous by thread: Re: you iso's may have been hacked
Next by thread: Re: My iso may have been hacked, too!
Index(es):
- Date
- Thread