ATM, investigation shows that failed md5sums are actually the same as those from 'original' packages. For instance, package upstart, version 1.5-0ubuntu5, is shipped with Ubuntu 12.04. /sbin/initctl from that package has a MD5 a08543b3a5d7f2221358f9f160c3b09f. MD5 for /sbin/initctl from current upstart package is bae534f4f29d22f3fda948e8a8157745. Installs on hardware machines do have correct MD5, but cloud images have an older MD5.
I suspect this is caused by live-build build process, where updates are done after the initial install and where build process mangles with /sbin/initctl and /sbin/start-stop-daemon so that those tools don't interfere with system on which image is built. In other words, this is a bug, this is a problem, it has potential of being serious bug, but it's not security issue. I'll leave it to the security team to make final decision.
ATM, investigation shows that failed md5sums are actually the same as those from 'original' packages. For instance, package upstart, version 1.5-0ubuntu5, is shipped with Ubuntu 12.04. /sbin/initctl from that package has a MD5 a08543b3a5d7f22 21358f9f160c3b0 9f. MD5 for /sbin/initctl from current upstart package is bae534f4f29d22f 3fda948e8a81577 45. Installs on hardware machines do have correct MD5, but cloud images have an older MD5.
I suspect this is caused by live-build build process, where updates are done after the initial install and where build process mangles with /sbin/initctl and /sbin/start- stop-daemon so that those tools don't interfere with system on which image is built. In other words, this is a bug, this is a problem, it has potential of being serious bug, but it's not security issue. I'll leave it to the security team to make final decision.