Hi, Le 16/03/2011 13:54, Steve McIntyre a écrit : > With reference to > http://lists.debian.org/debian-cd/2011/03/msg00071.html, I've written > something up. > > wml attached, plus a diff to link it into /CD/index.html I hope. > > Please review / commit? I would propose to avoid the “we” form, diff and resulting file attached, so I add the L10n English list in the loop to correct my cheesy English, thanks in advance. Todd [0] also proposed to add some step-by-step directions, I don't know if we should be so complete (e.g. step1 install gnupg), if so, wonder if we should advise to use aptitude and sudo to install a new package, and if we shouldn't also advise the check with the other checksums, etc. (anyway, we can commit this page when we agree on this first part, and add step-by-step directions latter once we agree on the second part). 0: http://lists.debian.org/debian-cd/2011/03/msg00078.html Regards David
--- english/CD/verify-sledge.wml 2011-04-02 17:14:53.443982597 -0400 +++ english/CD/verify.wml 2011-04-02 17:36:58.143981832 -0400 @@ -11,9 +11,9 @@ <p>To validate the contents of a CD image, first of all use the appropriate checksum tool. For older archived CD releases, only MD5 checksums were generated in the <tt>MD5SUMS</tt> files; you should use -the tool <tt>md5sum</tt> to work with these. For newer releases, we -have moved to newer, cryptographically stronger checksum algorithms -(SHA1, SHA256 and SHA512) and there are equivalent tools available to +the tool <tt>md5sum</tt> to work with these. For newer releases, +newer and cryptographically stronger checksum algorithms +(SHA1, SHA256 and SHA512) are used and there are equivalent tools available to work with these.</p> <p>To ensure that the checksums files themselves are correct, use @@ -27,7 +27,8 @@ #include "$(ENGLISHDIR)/CD/CD-keys.data" -<p>We have gradually moved away from using the personal keys belonging -to developers to using official <q>role</q> keys instead. However, we -have decided not to go back and re-sign all the old releases that were +<p> +Official <q>role</q> keys have been gradually used instead of personal +keys belonging to developers. However, it +was decided not to go back and re-sign all the old releases that were already signed using the older keys.</p>
#use wml::debian::cdimage title="Verifying authenticity of Debian CDs" BARETITLE=true <p>Official releases of Debian CDs come with signed checksum files. These allow you to check that the images you download are correct. First of all, the checksum can be used to check that the CDs have not been corrupted during download. Secondly, the signatures on the checksum files allow you to confirm that the files are the ones officially released by the Debian CD / Debian Live team and have not been tampered with.</p> <p>To validate the contents of a CD image, first of all use the appropriate checksum tool. For older archived CD releases, only MD5 checksums were generated in the <tt>MD5SUMS</tt> files; you should use the tool <tt>md5sum</tt> to work with these. For newer releases, newer and cryptographically stronger checksum algorithms (SHA1, SHA256 and SHA512) are used and there are equivalent tools available to work with these.</p> <p>To ensure that the checksums files themselves are correct, use GnuPG to verify them against the accompanying signature files (e.g. <tt>MD5SSUMS.sign</tt>). The keys used for these signatures are all in the <a href="http://keyring.debian.org";>Debian GPG keyring</a> and the best way to check them is to use that keyring to validate via the web of trust. To make life easier for users, here are the fingerprints for the keys that have been used for releases in recent years (with some UIDs removed for clarity):</p> #include "$(ENGLISHDIR)/CD/CD-keys.data" <p> Official <q>role</q> keys have been gradually used instead of personal keys belonging to developers. However, it was decided not to go back and re-sign all the old releases that were already signed using the older keys.</p>
Attachment:
signature.asc
Description: OpenPGP digital signature