It wouldn’t help to verify already upgraded users. It would be reasonable to assume, that the verification on the running system would show that everything is alright. If the system was compromised during a recent apt upgrade by a skilled adversary, then it would make a lot sense for the adversary the later install the non-comprised apt package and to hide as a rootkit elsewhere.
If considered compromised, a full compromise recovery procedure would be required. I don’t think we have documented a full compromise recovery procedure anywhere. Anyone know what I mean and can recommend a good link to some explanation of that?
Fixed time on the server just now.
Drop the sha256sum from that line. That’s a bug in documentation that I’ll be fixing now.