Stop Guessing Whether Debian Package Files Changed: Practical debsums for Integrity Checks A package can be fully installed and still not be in the state you think it is. Maybe a file was edited by hand. Maybe a cleanup script went too far. Maybe you are checking a host after a rough shutdown, disk issue, or suspicious change and you want one simple answer: Did files shipped by Debian packages change on disk? On Debian and Debian-derived systems, debsums is one practical way to answer that. This guide shows how to: install and use debsums check one package or the whole system include or exclude config files intentionally deal with packages that do not ship MD5 checksum lists repair changed package-managed files safely understand where debsums helps and where it does not Anti-duplication note I rejected another vulnerability-management angle because the most recent live post already covered debsecan for CVE triage. This article is intentionally different.…