Subject: Public Record Verification Request: dpkg 1.21.22 amd64 Package Provenance

Dear Guillem Jover and Debian Project,
I am writing as a member of the public to respectfully request written confirmation regarding publicly available information hosted in the
official Debian package repository at packages.debian.org. I understand
this repository to constitute a public record maintained under the GNU
Affero General Public License, version 3 (GNU AGPLv3+).
I am independently verifying the provenance of files present on my
Chromebook running a Debian 12 (bookworm) Linux environment provisioned by Google Crostini. In preparing this inquiry, I have reviewed and relied upon
the following public records:
- Official package listing: packages.debian.org/bookworm/dpkg
- Official file list: packages.debian.org/bookworm/amd64/dpkg/filelist
- Official changelog: metadata.ftp-master.debian.org/changelogs/main/d/dpkg/dpkg_1.21.22_changelog
- Debian Policy Manual, version 4.7.3.0, released December 23, 2025
- GNU Affero General Public License, version 3, dated November 19, 2007
I note that Section 4.4 of the Debian Policy Manual establishes the
changelog as the authoritative record of package versioning, and that
Section 4.7 establishes that modification timestamps in packages carry policy-governed meaning. My inquiry is grounded in these published
standards and in the rights granted to me as a recipient of software distributed under the GNU AGPLv3+, specifically the rights affirmed under Sections 2, 4, and 10 of that license.
I respectfully request written confirmation of the following:
1. That dpkg version 1.21.22 was released to the official Debian archive on
or around Thursday, May 11, 2023, as reflected in the public changelog
entry bearing your name and email address.
2. That the file /etc/cron.daily/dpkg is a standard component of dpkg
1.21.22 for amd64 architecture, distributed to all Debian systems carrying
that package version, as reflected in the official file list at packages.debian.org.
3. That the file dates associated with this package reflect upstream
authorship and compilation dates rather than dates of installation on any individual end-user system, consistent with the timestamp preservation requirements of Section 4.7 of the Debian Policy Manual.
4. That a December 2, 2025 modification timestamp on a system carrying this package would be consistent with a downstream distributor, such as Google Crostini, repackaging or imaging this software subsequent to its original Debian release date.
5. That a cryptographically signed release record or archive timestamp
exists within the public Debian infrastructure that independently verifies
the authenticity and release date of this package version, and if so, where that record may be accessed by a member of the public.
I am making this request solely for personal verification and documentation purposes. I am exercising rights expressly granted to me as a recipient of software distributed under the GNU AGPLv3+ and as a member of the public engaging with a publicly hosted open source repository governed by the
Debian Policy Manual. I intend to retain any written response as part of my permanent personal records.
I am copying this inquiry to the Debian development mailing list and to the Debian Press Contact to ensure that a permanent public record of this verification request exists.
Thank you sincerely for your time, for your service to the Debian project,
and for the transparency of the project's public infrastructure.
*Respectfully submitted,*
*Marilyn Bretherick *
CC: press@debian.org
CC: guillem@debian.org
CC: debian-devel@lists.debian.org
CC: dpkg@packages.debian.org
------------------------------
*CONFIDENTIALITY NOTICE:* This email and any and all accompanying Electronically Stored Information (ESI), including all email threads, attachments, linked content, and associated metadata, are intended *only*
for the use of the individual or entity to whom they are addressed. This communication *may* contain information that is private, confidential,
legally privileged, and/or proprietary. *If you are not the intended
recipient of this communication,* you are hereby notified that any
unauthorized review, use, disclosure, dissemination, copying, or
distribution of this message or its contents is prohibited. If you have received this communication in error, *please notify the sender. *
*COPYRIGHT AND INTELLECTUAL PROPERTY NOTICE:* The text, attachments, and
all other content of this email are unpublished literary works and/or proprietary information protected by U.S. Copyright Law (17 U.S.C. ? 101 et seq.) and other applicable intellectual property laws. The sender is the
sole copyright and intellectual property holder. Unauthorized reproduction, distribution, or use of this communication is strictly prohibited. The disclosure of this communication does not waive any applicable legal
privilege. The sender retains all rights and privileges associated with
this communication and its contents.


--- PyGate Linux v1.5.13
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

Subject: Re: Public Record Verification Request: dpkg 1.21.22 amd64 Package Provenance

On Tue, Mar 24, 2026 at 11:16:21AM +0100, Marilyn Bretherick wrote:

Dear Guillem Jover and Debian Project,
I am writing as a member of the public to respectfully request written >confirmation regarding publicly available information hosted in the
official Debian package repository at packages.debian.org. I understand
this repository to constitute a public record maintained under the GNU
Affero General Public License, version 3 (GNU AGPLv3+).
My inquiry is grounded in these published
standards and in the rights granted to me as a recipient of software >distributed under the GNU AGPLv3+, specifically the rights affirmed under >Sections 2, 4, and 10 of that license.
I am making this request solely for personal verification and documentation >purposes. I am exercising rights expressly granted to me as a recipient of >software distributed under the GNU AGPLv3+ and as a member of the public >engaging with a publicly hosted open source repository governed by the
Debian Policy Manual. I intend to retain any written response as part of my >permanent personal records.

You may be mistakenly associating Debian and/or dpkg with AGPL but also
I'm not sure if the listed sections of that license give you rights to
request all of this information.
You are, of course, free to *ask*. You are even free to copy your
questions to press@debian.org or any other existing or non-existing email addresses.

*CONFIDENTIALITY NOTICE:* This email and any and all accompanying >Electronically Stored Information (ESI), including all email threads, >attachments, linked content, and associated metadata, are intended *only*
for the use of the individual or entity to whom they are addressed. This >communication *may* contain information that is private, confidential, >legally privileged, and/or proprietary. *If you are not the intended >recipient of this communication,* you are hereby notified that any >unauthorized review, use, disclosure, dissemination, copying, or
distribution of this message or its contents is prohibited. If you have >received this communication in error, *please notify the sender. *

*COPYRIGHT AND INTELLECTUAL PROPERTY NOTICE:* The text, attachments, and
all other content of this email are unpublished literary works and/or >proprietary information protected by U.S. Copyright Law (17 U.S.C. ? 101 et >seq.) and other applicable intellectual property laws. The sender is the
sole copyright and intellectual property holder. Unauthorized reproduction, >distribution, or use of this communication is strictly prohibited. The >disclosure of this communication does not waive any applicable legal >privilege. The sender retains all rights and privileges associated with
this communication and its contents.

Perfect.
--
WBR, wRAR


--- PyGate Linux v1.5.13
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)