[VLM]

Reading your post literally, you're asking how what amounts to mirror operators ensure their mirror is clean, and that's a long story, especially WRT proxies like approx the apt specific proxy not just "real mirrors".

If you're asking more about verifying the files on your install, assuming you trust debsums and its data not to be powned then you'd run debsums -c or whatever. Of course a real attacker would have their highest priority to mess with debsums and its data, hmm. Also debsums is quite slow and resource intensive, so pausing for 10 minutes doesn't mean its crashed or infinite looped, it just means its doing its thing. Finally if you run vanilla and never compile and overwrite your own copy of "whatever" then debsums will work, but if for example you installed debian's apache and then compiled your own apache and overwrote the debian apache binaries (why?), all debsums is going to know is your apache isn't standard debian apache so that doesn't necessarily prove your powned or un powned, it just proves you're not running Debian's apache binary.

Google debsums, and this link will probably help

https://packages.debian.org/sid/debsums

Whatever you do, don't run "debsums -e" and freak out. At least not without reading the manpage and thinking about it a bit. OK debsums, thanks for letting me know someone modified /etc/ntp.conf, but I think that was me seeing as we have three GPS clocks on the LAN I feel no need to panic. It is an interesting command to use to see how modified a machine's install is. Oh I see you're running stock /etc/detault/ssh and no modifications at all to /etc/sysctl.conf, how interesting.