Bug#154408: apt indicates download from unstable on testing pinned system
> While the end result in the cases I've tested is the same desired
> package, the indicaction provided the end user is misleading.
Actually, the downloaded package is always one that is considered equal
to the one that was actually selected (at least the version number and a
hash over some header fields are equal, which normally should be enough).
In the following example, the two source files for each version are
considered to be equal (otherwise their respective versions would be
listed twice). Version 1.10.9 is selected for candidate because the
testing release has a higher priority than woody, but it is later
downloaded from the first available source, which happens to be
# apt-cache policy dpkg
101 ftp://ftp.debian.de unstable/main Packages
910 ftp://ftp.debian.de testing/main Packages
*** 1.9.21 0
900 ftp://ftp.debian.de woody/main Packages
Actually downloading from the source that caused the version to be
selected would indeed be nice (and maybe even a little bit more secure),
but at the moment this information is not available outside of the
policy function that makes the selection.