Am 25.11.19 um 17:52 schrieb Elmar Stellnberger:
If debcheckroot can not find many packages that may point to an intentionally altered package database and thus to a possible infection of your system. I have seen many ways how to avoid scrutiny by debcheckroot in the past and this may just be an easy way to achieve this. Remember that with a freshly updated system + packages you downloaded manually, 100% of all packages should be verifiable. I do think of the theoretically constructed case that a package is still installed that is no more available via the update repo as rather improbable as normally the base version of all packages is available in the base repo. If a newer version is available in the update repo the update should have been installed as well.Not using apt/dpkg comes at the expense of not being able to fully verify the whole system. What if there are outdated packages on the system which aren't available from anymore from repository? Using snapshot.debian.org?I have just extended debcheckroot to also support file repos. Now it can check 100% of the packages I have installed. That was necessary because f.i. the printer driver is vendor specific and can not be fetched from an online repo. I will publish that as debcheckroot v2.2 soon. Outdated packages are a problem though; I have supposed that Debian would maintain sha256sums for packages not available online any more. However I do not see any good possibility to resolve this without support from the distributors. However I am not sure whether outdated updates would still be available on snapshot.debian.org; I would not believe so, though perhaps anyone else reading this list could help us. If it is not about updates but about singleton packages one could download specific packages from snapshot by hand if you really come across having installed such a package.