Thanks Seth for securities POV on this and essentially confirming what I assumed.
That said, I think the bug is for now "incomplete" in the sense of breaking the initial report into two things: A) I see this on upgrade on one machine, which is unexpected. B) If this file is generated by each machine, why would we ship a default? B - is solved - it is not generated and we want to ship a default as we do right now. A - is incomplete - as it is not clear yet why you have got the "Modified (by you or by a script) since installation" Note: I test upgraded xenial to bionic and got a no notification upgrade from 0075fd4b72a421f909af9809d0dd3bdc to fe5be9e1b2ad5c55132a3521ecaadcdd So I repeat my question to @Mark: 1. I'd assume you had not changed your file - if you had modified it then all is correct. Had you modified it? 2. If you have not modified it there are two options: 2.1. someone/something tampered with your moduli 2.2 Or we have a bug somewhere in the generic upgrade paths misdetecting old content as unchanged. If there still is a /etc/ssh/moduli.dpkg-old version of it what is the checksum (Xenial was 0075fd4b72a421f909af9809d0dd3bdc)? ** Changed in: openssh (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1748709 Title: Upgrade from xenial to bionic wants to replace moduli To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1748709/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs