Comment 14 for bug 1100295

I marked it "wontfix" because it seems to most accurately reflect the state of things; the Ubuntu security team does not have resources to propose these kinds of changes for dpkg, and considering the threat model that debsums/dpkg's file md5sums are designed to address, it's easy to see why no one else has provided patches for this yet either.

It's just not a common threat model: assume that an adversary can overwrite something important but *not* the database or the tools that maintain it or the libraries and kernel needed by those tools.

Thanks