Am Thu, Dec 11, 2025 at 11:44:31PM -0300, schrieb Olegário A. Filho: > 2) apt policy output for the affected package > > # apt policy sgml-base > sgml-base: > Installed: 1.31+nmu1 > Candidate: 1.31+nmu1 > Version table: > *** 1.31+nmu1 500 > 500 mirror+file:/etc/apt/mirrors/debian.list trixie/main amd64 > Packages > 100 /var/lib/dpkg/status > 1.31+nmu1 1000 > 1000 https://d17k9fuiwb52nc.cloudfront.net trixie/main amd64 > Packages > > Note: the same version (1.31+nmu1) is available from both Debian’s mirror > and CloudPanel’s “trixie main” repository. That isn't the same version. It has the same version number, yes, but libapt has detected a subtil difference in those packages. Their hashes might be different if the package doesn't build reproducibly or the dependencies (versions) differ. Are you sure the packages are "copied" and not also (re)build there? Its "easiest" to look at the stanzas in the Packages files and compare those for EXACT match. libapt does slight massaging, but even a spurious 0:-epoch can throw it off (not all fields are compared, but without looking I suspect a dependency with a non- canonical version number that is differently formatted by different tools. libapt does not canonicalize version numbers – too expensive). Given the versions are different and apt detects the installed one as the one from Debian (also hinting at a small difference caused by different repository generators) the behaviour you encounter is actually the one you have configured to happen and is correct. If the versions are detected as the same, they are grouped together under the same version number, like the Debian version and the installed version are grouped together. The other one would be the third line in this group – if they were detected as the same. Best regards David Kalnischkies
Attachment:
signature.asc
Description: PGP signature