Displaying Instructions for Verifying Installation Media

To: "debian-www@lists.debian.org" <debian-www@lists.debian.org>
Subject: Displaying Instructions for Verifying Installation Media
From: Leon Traille <leon.traille@outlook.com>
Date: Sat, 4 Feb 2017 03:43:21 +0000
Message-id: <[🔎] CO2PR0701MB1048607FDCF568D765610215914E0@CO2PR0701MB1048.namprd07.prod.outlook.com>
In-reply-to: <CO2PR0701MB1048E6DB4990020A87977C5E914F0@CO2PR0701MB1048.namprd07.prod.outlook.com>
References: <[🔎] CO2PR0701MB10486E0A648F88CA04D250F9914C0@CO2PR0701MB1048.namprd07.prod.outlook.com> <[🔎] CAKTje6Fyr08ryiuJm3p9D-=OUfEp1hHtUj40ezjjkqWkOJm7ZA@mail.gmail.com> <CO2PR0701MB1048E6DB4990020A87977C5E914F0@CO2PR0701MB1048.namprd07.prod.outlook.com>


-----Original Message-----
From: Leon Traille 
Sent: Friday, February 3, 2017 3:42 PM
To: Paul Wise <pabs@debian.org>
Subject: RE: Displaying Instructions for Verifying Installation Media

I think every page containing at least one direct download should be updated. I have found the following
	https://www.debian.org/distrib/
	https://www.debian.org/distrib/netinst 
	https://www.debian.org/CD/netinst/
	https://www.debian.org/devel/debian-installer/ 
	https://www.debian.org/releases/jessie/debian-installer/ 

I'd recommend placing the links in its own section with a heading and a short explanation.

For example, on page https://www.debian.org/distrib/netinst, you could add section before the downloads like the following:

	<h2>Verifying Image Files</h2>
	<p>Official releases of Debian images come with checksum files (SHA1SUMS, SHA256SUMS, etc.) that enable you to verify the image you've obtained. These checksum files have signatures stored in other files (SHA1SUMS.sign, SHA256SUMS.sign, etc.). Before you use a checksum to verify an image, you need to verify the checksum file with its signature. Look for the checksum and checksum signature files alongside the image downloads below.</p>
	<p>For more information about how to verify the image files, read the <a href="https://www.debian.org/CD/verify";>verification guide</a>.</p>

The download and checksum links below a verification section could be organized like the following:

	<table>
	<tr>
		<td><a href="http://cdimage.debian.org/debian-cd/current/amd64/iso-cd/debian-8.7.1-amd64-netinst.iso";>amd64</a></td>
		<td>[<a href="http://cdimage.debian.org/debian-cd/current/amd64/iso-cd/SHA256SUMS.sign";>SHA256SUMS.sign</a>]</td>
		<td>[<a href="http://cdimage.debian.org/debian-cd/current/amd64/iso-cd/SHA256SUMS";>SHA256SUMS</a>]</td>
		<td>[<a href="http://cdimage.debian.org/debian-cd/current/amd64/iso-cd/";>Other Files</a>]</td>
	</tr>
	<tr>
		<td><a href="http://cdimage.debian.org/debian-cd/current/i386/iso-cd/debian-8.7.1-i386-netinst.iso";>i386</a></td>
		<td>[<a href="http://cdimage.debian.org/debian-cd/current/i368/iso-cd/SHA256SUMS.sign";>SHA256SUMS.sign</a>]</td>
		<td>[<a href="http://cdimage.debian.org/debian-cd/current/i386/iso-cd/SHA256SUMS";>SHA256SUMS</a>]</td>
		<td>[<a href="http://cdimage.debian.org/debian-cd/current/i386/iso-cd/";>Other Files</a>]</td>
	</tr>
	</table>

I think it is best to place the all the download sections after the verification section.

The https://www.debian.org/CD/live/ page doesn't contain direct downloads but the pages it does link to do not contain verification like other similar pages. For example, compare http://cdimage.debian.org/debian-cd/current-live/amd64/bt-hybrid/ with http://cdimage.debian.org/debian-cd/current/multi-arch/iso-cd/ . I think pages like the former should be changed to look like the latter. This includes the following pages:
	http://cdimage.debian.org/debian-cd/current-live/amd64/bt-hybrid/
	http://cdimage.debian.org/debian-cd/current-live/i386/bt-hybrid/
	http://cdimage.debian.org/debian-cd/current-live/amd64/iso-hybrid/
	http://cdimage.debian.org/debian-cd/current-live/i386/iso-hybrid/

I also think the verification page https://www.debian.org/CD/verify is a little too vague. I think it should include step by step details of how to perform the verification with commands and expected outputs.

I think the installation guides should also include detailed explanation of and recommendation for verification with appropriate links to the secure verification guide page https://www.debian.org/CD/verify 

The download on the main page https://www.debian.org/ should navigate to a page with a verification section, before automatically downloading the file. This allows the same behavior of having a direct download on the main page but with the benefit of having the user see a verification recommendation.

I would also like to note that some other distributions provide the checksum on a secure page, simplifying the verification process considerably.

https://www.debian.org/distrib/
-----Original Message-----
From: paul.is.wise@gmail.com [mailto:paul.is.wise@gmail.com] On Behalf Of Paul Wise
Sent: Thursday, February 2, 2017 10:18 PM
To: Leon Traille <leon.traille@outlook.com>
Cc: debian-www@lists.debian.org
Subject: Re: Displaying Instructions for Verifying Installation Media

On Fri, Feb 3, 2017 at 3:55 AM, Leon Traille wrote:

> I think that suggesting and linking to verification instructions would 
> further the interests of Internet users.

Could you suggest which web pages we should modify and what the new wording on those pages should be?

--
bye,
pabs

https://wiki.debian.org/PaulWise

Reply to:

References:
- Displaying Instructions for Verifying Installation Media
  - From: Leon Traille <leon.traille@outlook.com>
- Re: Displaying Instructions for Verifying Installation Media
  - From: Paul Wise <pabs@debian.org>

Prev by Date: Attendees list of Southern California Linux Expo 2017
Next by Date: [debian-www] Please add mips64el to stretch and add pages for buster
Previous by thread: Re: Displaying Instructions for Verifying Installation Media
Next by thread: dehyrated jessie-backports package - "all files" broken link
Index(es):
- Date
- Thread