In article <[🔎] BAY126-DS1538DC7CA6B62A18B0D3C99F10@phx.gbl> you wrote: > If some packages are localy modified, This suggests that your local system > is already compromised. Not if you use a NFS mounted shared cache. It should be possible to verify the package on install time. (Especially when not using apt-get). Not sure if debsig-verify can work in that environment. Gruss Bernd