From 2a51757c2d33ddc8c5eb001177f7530f6116b73d Mon Sep 17 00:00:00 2001
From: Silvio Rhatto <rhatto@riseup.net>
Date: Thu, 11 Jun 2015 18:51:43 -0300
Subject: Checking the source: debian images

---
 checking.md | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/checking.md b/checking.md
index f0a71a8..f99fa1d 100644
--- a/checking.md
+++ b/checking.md
@@ -1,11 +1,20 @@
 Checking the source
 ===================
 
+Debian Images
+-------------
+
+See [Verifying authenticity of Debian CDs](https://www.debian.org/CD/verify).
+
+Source packages
+---------------
+
 This is the trick part. In theory, you could run just
 
     dscverify *.dsc
 
-Which would check if the signature was made for a key included in the `debian-keyring` package.
+Which would check if the signature was made for a key included in the `debian-keyring` package or if you
+have a verification path with the signing key.
 
 In practice, it should always work for sources you download from the **same** Debian version you're running.
 But sources you download from newer versions might not work, depending basically if the maintainer's key is
@@ -116,4 +125,3 @@ See also:
 * [Debian Public Key Server](http://keyring.debian.org/).
 * [apt get - How to get apt-get source verification working? - Super User](https://superuser.com/questions/626810/how-to-get-apt-get-source-verification-working).
 * [Debian. How can I securely get debian-archive-keyring, so that I can do an apt-get update? NO_PUBKEY - Server Fault](http://serverfault.com/questions/337278/debian-how-can-i-securely-get-debian-archive-keyring-so-that-i-can-do-an-apt-g/337283#337283).
-
-- 
cgit v1.2.3