Comment 6 for bug 1991446

I believe the apt-helper download-file tool is checking the hashes before it makes the files available; it's not quite the same as checking them immediately before unpacking, but disk errors between downloads and processing feel pretty rare. (I think I've seen one case of on-disk package corruption among the thousands of bug reports, users on irc, askubuntu, etc.) Malicious replacement seems unlikely, an attacker with sufficient power to replace the files could likely write whatever they want wherever they want.

Privsep unpacking is a good idea.

There's a few different ways to get the sources for other versions:

pull-lp-source from ubuntu-dev-tools
chdist from devscripts
dget from devscripts (probably the easiest):

mkdir mstt ; cd mstt
for f in http://archive.ubuntu.com/ubuntu/pool/multiverse/m/msttcorefonts/msttcorefonts_3.4+nmu1ubuntu1.dsc http://archive.ubuntu.com/ubuntu/pool/multiverse/m/msttcorefonts/msttcorefonts_3.4+nmu1ubuntu2.dsc http://archive.ubuntu.com/ubuntu/pool/multiverse/m/msttcorefonts/msttcorefonts_3.6ubuntu2.dsc http://archive.ubuntu.com/ubuntu/pool/multiverse/m/msttcorefonts/msttcorefonts_3.7ubuntu6.dsc http://archive.ubuntu.com/ubuntu/pool/multiverse/m/msttcorefonts/msttcorefonts_3.8ubuntu2.dsc ; do mkdir `basename $f` ; pushd `basename $f` ; dget $f ; popd ; done

(Funny enough this dget approach didn't reliably unpack them all; tar xf on the tarballs worked fine.)

Thanks