[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Using sha512 checksum for default in CD/verify page


on the page https://www.debian.org/CD/verify.en.html, the explanation is
more based on MD5 than on better checksum algorithms. I think it would
be better to talk about SHA512 for default example and MD5 as fallback only.

I made a patch for that (see attachment).

I removed the reference for SHA-1 because there are theoretical
collisions and I remember there is a removal of the use inside Debian
for signatures (but I don't remember exactly if it's for the iso

- Do you see improvements?
- Should I re-add SHA-1 ? With MD5, to group them in weak algorithms?

If it's ok, I will commit the patch in few days.

Index: english/CD/verify.wml
RCS file: /cvs/webwml/webwml/english/CD/verify.wml,v
retrieving revision 1.3
diff -u -w -r1.3 verify.wml
--- english/CD/verify.wml	1 Nov 2015 15:56:22 -0000	1.3
+++ english/CD/verify.wml	25 Sep 2016 14:36:39 -0000
@@ -15,18 +15,18 @@
 To validate the contents of a CD image, just be sure to use the
 appropriate checksum tool.
-For older archived CD releases, only MD5 checksums were generated in
-the <code>MD5SUMS</code> files; you should use the tool
-<code>md5sum</code> to work with these.
-For newer releases, newer and cryptographically stronger checksum
-algorithms (SHA1, SHA256 and SHA512) are used, and there are equivalent
-tools available to work with these.
+For recent releases, cryptographically strong checksum
+algorithms (SHA256 and SHA512) are used; you should use the tools
+<code>sha256sum</code> or <code>sha512sum</code> to work with these.
+For older archived CD releases, if only MD5 checksums were generated in
+the <code>MD5SUMS</code> files, you should use the tool
 To ensure that the checksums files themselves are correct, use GnuPG to
 verify them against the accompanying signature files (e.g.
 The keys used for these signatures are all in the <a
 href="http://keyring.debian.org";>Debian GPG keyring</a> and the best
 way to check them is to use that keyring to validate via the web of

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: