Le 24/03/2026 à 11:16, Marilyn Bretherick a écrit :
Dear Guillem Jover and Debian Project,
I am writing as a member of the public to respectfully request written
confirmation regarding publicly available information hosted in the
official Debian package repository at packages.debian.org <http://
packages.debian.org>. I understand this repository to constitute a
public record maintained under the GNU Affero General Public License,
version 3 (GNU AGPLv3+).
I am independently verifying the provenance of files present on my
Chromebook running a Debian 12 (bookworm) Linux environment provisioned
by Google Crostini. In preparing this inquiry, I have reviewed and
relied upon the following public records:
- Official package listing: packages.debian.org/bookworm/dpkg <http://
packages.debian.org/bookworm/dpkg>
- Official file list: packages.debian.org/bookworm/amd64/dpkg/filelist
<http://packages.debian.org/bookworm/amd64/dpkg/filelist>
- Official changelog: metadata.ftp-master.debian.org/changelogs/main/d/
dpkg/dpkg_1.21.22_changelog <http://metadata.ftp-master.debian.org/
changelogs/main/d/dpkg/dpkg_1.21.22_changelog>
- Debian Policy Manual, version 4.7.3.0, released December 23, 2025
- GNU Affero General Public License, version 3, dated November 19, 2007
I note that Section 4.4 of the Debian Policy Manual establishes the
changelog as the authoritative record of package versioning, and that
Section 4.7 establishes that modification timestamps in packages carry
policy-governed meaning. My inquiry is grounded in these published
standards and in the rights granted to me as a recipient of software
distributed under the GNU AGPLv3+, specifically the rights affirmed
under Sections 2, 4, and 10 of that license.
I respectfully request written confirmation of the following:
1. That dpkg version 1.21.22 was released to the official Debian archive
on or around Thursday, May 11, 2023, as reflected in the public
changelog entry bearing your name and email address.
2. That the file /etc/cron.daily/dpkg is a standard component of dpkg
1.21.22 for amd64 architecture, distributed to all Debian systems
carrying that package version, as reflected in the official file list at
packages.debian.org <http://packages.debian.org>.
3. That the file dates associated with this package reflect upstream
authorship and compilation dates rather than dates of installation on
any individual end-user system, consistent with the timestamp
preservation requirements of Section 4.7 of the Debian Policy Manual.
4. That a December 2, 2025 modification timestamp on a system carrying
this package would be consistent with a downstream distributor, such as
Google Crostini, repackaging or imaging this software subsequent to its
original Debian release date.
5. That a cryptographically signed release record or archive timestamp
exists within the public Debian infrastructure that independently
verifies the authenticity and release date of this package version, and
if so, where that record may be accessed by a member of the public.
I am making this request solely for personal verification and
documentation purposes. I am exercising rights expressly granted to me
as a recipient of software distributed under the GNU AGPLv3+ and as a
member of the public engaging with a publicly hosted open source
repository governed by the Debian Policy Manual. I intend to retain any
written response as part of my permanent personal records.
I am copying this inquiry to the Debian development mailing list and to
the Debian Press Contact to ensure that a permanent public record of
this verification request exists.
Thank you sincerely for your time, for your service to the Debian
project, and for the transparency of the project's public infrastructure.
*Respectfully submitted,*
*Marilyn Bretherick *
Dear Ms. Bretherick,
Thank you for your interest in the Debian project and for taking the
time to write such a detailed inquiry.
Before addressing your specific questions, I should gently note a few
foundational issues with your request that you may wish to revisit: dpkg
is licensed under the GPL-2+, not the GNU AGPLv3. The license text is
included in every copy of the package, in the file
/usr/share/doc/dpkg/copyright, which is available on the very website
you cited. The rights you invoke throughout your letter — specifically
Sections 2, 4, and 10 of the AGPLv3 — do not apply to this software. I
would encourage you to read the license of a package before constructing
legal arguments based on it.
The Debian Policy Manual is an internal technical document that guides
Debian contributors in how packages should be built and maintained. It
is not a regulatory framework, it does not create enforceable
obligations toward end users, and it does not grant members of the
public the right to demand written confirmations from individual
volunteers. Your interpretation of Section 4.7 in particular reflects a
creative but unfortunately incorrect reading.
That said, I am happy to clarify a few points that are freely available
to anyone willing to look:
1. The dpkg changelog is public and speaks for itself. It does not
require any confirmation to exist.
2. The file list for any package can be verified by running dpkg -L dpkg
on any Debian system, or indeed by visiting the URL you already found.
3. File timestamps inside .deb packages generally reflect the build
time, not authorship dates. Modern Debian builds normalize timestamps
via SOURCE_DATE_EPOCH for reproducibility. This is documented
extensively and has nothing to do with Section 4.7 of the Policy Manual.
4. A modification timestamp of December 2, 2025 on a file from a package
released in May 2023 most likely indicates that the file was written or
updated during a perfectly routine package installation or system
update. This is how package managers work. No repackaging conspiracy by
Google is required to explain it.
5. Debian packages are cryptographically signed via the archive keyring,
and Release files are signed with GPG. This is documented at
wiki.debian.org/SecureApt. You are welcome to verify any package
yourself using standard tools such as apt-key, gpgv, and sha256sum.
These tools are, in fact, more reliable than asking a maintainer to
write you a letter.
I would respectfully suggest that before retaining any correspondence as
part of your "permanent personal records," you may find it worthwhile to
familiarize yourself with the actual license, the actual tools, and the
actual documentation of the software you are inquiring about. The Debian
project has invested considerable effort in making all of this
information freely and publicly accessible — precisely so that
individual volunteers do not need to serve as a help desk.
I wish you the best in your verification efforts.
Kind regards
