On 3/24/26 5:16 AM, Marilyn Bretherick wrote:
I respectfully request written confirmation of the following:1. That dpkg version 1.21.22 was released to the official Debian archive on or around Thursday, May 11, 2023, as reflected in the public changelog entry bearing your name and email address.
The `dscverify` tool might prove useful in this quest. It is available in the `devscripts` package. It will cryptographically verify that the source package for the `1.21.22` version of the `dpkg` package has been signed by a Debian Developer.
``` $ wget "http://deb.debian.org/debian/pool/main/d/dpkg/dpkg_1.21.22.dsc"; $ wget "http://deb.debian.org/debian/pool/main/d/dpkg/dpkg_1.21.22.tar.xz"; $ dscverify --verbose dpkg_1.21.22.dsc dpkg_1.21.22.dsc: gpg: Signature made Wed 10 May 2023 09:16:45 PM CDT gpg: using RSA key 4F3E74F436050C10F5696574B972BF3EA4AE57A3 gpg: Good signature from "Guillem Jover <[email protected]>" [unknown] gpg: aka "Guillem Jover <[email protected]>" [unknown] gpg: WARNING: Using untrusted key! Good signature found validating dpkg_1.21.22.tar.xz All files validated successfully. ```As the changelog is part of the files signed and validated in the dsc file...
2. That the file /etc/cron.daily/dpkg is a standard component of dpkg 1.21.22 for amd64 architecture, distributed to all Debian systems carrying that package version, as reflected in the official file list at packages.debian.org <http://packages.debian.org>.
...it should follow that /etc/cron.daily/dpkg is indeed a standard component of dpkg, since it is documented in the `debian` dir:
``` $ tar -xf dpkg_1.21.22.tar.xz $ stat dpkg-1.21.22/debian/dpkg.cron.daily File: dpkg-1.21.22/debian/dpkg.cron.daily Size: 123 Blocks: 8 IO Block: 4096 regular file Device: 254,1 Inode: 57943651 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 1000/ preston) Gid: ( 1000/ preston) Access: 2026-03-25 22:39:54.653739796 -0500 Modify: 2023-03-26 19:41:09.000000000 -0500 Change: 2026-03-25 22:39:20.677874094 -0500 Birth: 2026-03-25 22:39:20.677874094 -0500 ```
3. That the file dates associated with this package reflect upstream authorship and compilation dates rather than dates of installation on any individual end-user system, consistent with the timestamp preservation requirements of Section 4.7 of the Debian Policy Manual.
That is the *intention*, yes. Keeping the `mtime`s consistent in this manner also allows the package to be reproducible.
4. That a December 2, 2025 modification timestamp on a system carrying this package would be consistent with a downstream distributor, such as Google Crostini, repackaging or imaging this software subsequent to its original Debian release date.
That *could* be consistent with any number of other explanations, including just `touch`ing the file for fun and doing nothing else. I'm not familiar with Crostini, but according to Google's own documentation, it is some sort of Debian container used to run Linux applications within Chrome OS:
https://www.chromium.org/chromium-os/developer-library/guides/containers/crostini-developer-guide/If the intention here is to make a request from Google for source code of this container, or at least of software within it, then you should consult legal counsel; or, at a minimum, try to enlist the help of the Software Freedom Conservancy (SFC) or the Free Software Foundation (FSF).
SFC: https://sfconservancy.org/ FSF: https://www.fsf.org/Be advised, though: distributions fall under what the GPL calls "aggregates" (or "compilations" in version 3). The mere fact that some of the software in the aggregate is GPL does not mean that everything in the aggregate must also be GPL.
5. That a cryptographically signed release record or archive timestamp exists within the public Debian infrastructure that independently verifies the authenticity and release date of this package version, and if so, where that record may be accessed by a member of the public.
See response to step 1, which shows that the corresponding source package was signed by a Debian Developer. That establishes authenticity, I suppose. However, the timestamp associated with the signature is not itself guaranteed to be accurate; it is merely a claim made by the signer that it was signed at that time.
-- In Solidarity, Preston Maness 512-955-1048 https://keyoxide.org/79895B2E0F87503F1DDE80B649765D7F0DDD9BD5
OpenPGP_signature.asc
Description: OpenPGP digital signature
