Comment 9 for bug 1100295

Marking Ubuntu GNOME as Invalid as that's just far too broad.

Marking debsums and dpkg as Wontfix because debsums is not intended to be a security tool:

       debsums is intended primarily as a way of determining what
       installed files have been locally modified by the
       administrator or damaged by media errors and is of limited
       use as a security tool.

       If you are looking for an integrity checker that can run from
       safe media, do integrity checks on checksum databases and can
       be easily configured to run periodically to warn the admin of
       changes see other tools such as: aide, integrit, samhain, or
       tripwire.

I suspect the list of suggested programs in the last sentence may need some modification due to the passage of time.

debsums is not suitable for determining malicious modifications of the filesystem. An attacker in a position to modify packaged files can likely also replace debsums itself, any libraries that debsums may use, the database of hashes, perhaps even kernel mechanisms that would hide the effects of modified filesystems.

debsums is meant to help discover locally-modified programs and it serves that purpose well even with md5.

Thanks