[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1122637: APT incorrectly attempts to downgrade sgml-base when CloudPanel repository is enabled on Debian 13 (Trixie)

Dear David,

First of all, thank you very much for taking the time to reply — and more than that, thank you for your long-standing and invaluable contributions to apt/Debian. 

Following your message, I went ahead and performed all the suggested checks in detail, to verify whether the packages were truly identical or not, beyond sharing the same version number.

What I verified

I confirmed that:

1. APT correctly detects them as different packages, despite sharing the same version string (1.31+nmu1), which already explains the behavior observed.


2. I extracted and compared the actual .deb files provided by:

Debian official repository (deb.debian.org)

CloudPanel repository (d17k9fuiwb52nc.cloudfront.net)



3. The packages are not byte-identical:

Different file sizes

Different SHA256 hashes




Debian:      10868 bytes  sha256 a355b832d9f0f4dc9eca1a661080db5dc118e6c435f107a5c4dd201d7af59ba8
CloudPanel:  12026 bytes  sha256 95e923cec742ff773651bb0230fd0ee14aa1a7e092bd875c413f935729ae397d

4. Inspecting the control metadata (dpkg-deb -I) shows the same declared version and metadata fields, but clearly the binaries are not identical, confirming your point that these are distinct builds, not mere mirrors.



So your analysis was absolutely correct:
APT is behaving exactly as configured, and the repeated downgrade prompt is a direct consequence of the repository setup.

Practical conclusion on my side

From an operational and policy standpoint, I have decided to comment out the trixie main entry from the CloudPanel repository on my system.

CloudPanel already provides its required components via dedicated suites (nginx, PHP versions, varnish, etc.), and allowing a third-party repository to also publish packages from Debian main — especially when they are rebuilt or modified — seems risky and contrary to best practices for system stability.

I must admit that I still do not fully understand why CloudPanel maintains a main component at all, instead of restricting their repository strictly to the packages they actively maintain.

For this reason, I am re-CC’ing the CloudPanel team on this thread, so they can review whether publishing Debian base packages under main is really intentional and advisable, particularly on Debian 13.

Appendix

Below I will include the full list of commands and outputs used during the investigation (as previously shared), for completeness and reproducibility.

Once again, thank you very much for the clarification, the technical depth of your explanation, and for confirming that the observed behavior is correct given the current repository configuration.

Best regards,
Olegário A. Filho


------------------------------------------


Last login: Sat Dec 13 12:35:32 2025 from [REDACTED-IP]

user@host:~$ sudo apt update && sudo apt upgrade

[sudo] password for user:

Get:1 file:/etc/apt/mirrors/debian.list Mirrorlist [30 B]

Get:5 file:/etc/apt/mirrors/debian-security.list Mirrorlist [39 B]

Hit:6 http://repository.netdata.cloud/repos/stable/debian trixie/ InRelease

Hit:8 http://repository.netdata.cloud/repos/repoconfig/debian trixie/ InRelease

Hit:9 https://d17k9fuiwb52nc.cloudfront.net trixie InRelease

Hit:2 https://deb.debian.org/debian trixie InRelease

Hit:3 https://deb.debian.org/debian trixie-updates InRelease

Hit:4 https://deb.debian.org/debian trixie-backports InRelease

Hit:7 https://deb.debian.org/debian-security trixie-security InRelease

Hit:10 https://mirror.mariadb.org/repo/11.8/debian trixie InRelease

All packages are up to date.

The following packages were automatically installed and are no longer required:

  libgnutls-dane0t64  libunbound8

Use 'sudo apt autoremove' to remove them.


DOWNGRADING:

  sgml-base


Summary:

  Upgrading: 0, Installing: 0, Downgrading: 1, Removing: 0, Not Upgrading: 0

  Download size: 12.0 kB

  Space needed: 0 B / 395 GB available


Continue? [Y/n] y

Get:1 https://d17k9fuiwb52nc.cloudfront.net trixie/main amd64 sgml-base all 1.31+nmu1 [12.0 kB]

Fetched 12.0 kB in 0s (158 kB/s)

(Reading database ... 89596 files and directories currently installed.)

Preparing to unpack .../sgml-base_1.31+nmu1_all.deb ...

Unpacking sgml-base (1.31+nmu1) over (1.31+nmu1) ...

Setting up sgml-base (1.31+nmu1) ...

Processing triggers for man-db (2.13.1-1) ...


user@host:~$ sudo apt update && sudo apt upgrade

Get:1 file:/etc/apt/mirrors/debian.list Mirrorlist [30 B]

Get:2 file:/etc/apt/mirrors/debian-security.list Mirrorlist [39 B]

Hit:7 http://repository.netdata.cloud/repos/stable/debian trixie/ InRelease

Hit:3 https://deb.debian.org/debian trixie InRelease

Hit:8 https://d17k9fuiwb52nc.cloudfront.net trixie InRelease

Hit:4 https://deb.debian.org/debian trixie-updates InRelease

Hit:5 https://deb.debian.org/debian trixie-backports InRelease

Hit:6 https://deb.debian.org/debian-security trixie-security InRelease

Hit:9 http://repository.netdata.cloud/repos/repoconfig/debian trixie/ InRelease

Hit:10 https://mirror.mariadb.org/repo/11.8/debian trixie InRelease

All packages are up to date.

The following packages were automatically installed and are no longer required:

  libgnutls-dane0t64  libunbound8

Use 'sudo apt autoremove' to remove them.


DOWNGRADING:

  sgml-base


Summary:

  Upgrading: 0, Installing: 0, Downgrading: 1, Removing: 0, Not Upgrading: 0

  Download size: 12.0 kB

  Space needed: 0 B / 395 GB available


Continue? [Y/n] y

Get:1 https://d17k9fuiwb52nc.cloudfront.net trixie/main amd64 sgml-base all 1.31+nmu1 [12.0 kB]

Fetched 12.0 kB in 0s (172 kB/s)

(Reading database ... 89596 files and directories currently installed.)

Preparing to unpack .../sgml-base_1.31+nmu1_all.deb ...

Unpacking sgml-base (1.31+nmu1) over (1.31+nmu1) ...

Setting up sgml-base (1.31+nmu1) ...

Processing triggers for man-db (2.13.1-1) ...


user@host:~$ sudo apt update && sudo apt upgrade

Get:1 file:/etc/apt/mirrors/debian.list Mirrorlist [30 B]

Get:2 file:/etc/apt/mirrors/debian-security.list Mirrorlist [39 B]

Hit:7 http://repository.netdata.cloud/repos/stable/debian trixie/ InRelease

Hit:3 https://deb.debian.org/debian trixie InRelease

Hit:8 https://d17k9fuiwb52nc.cloudfront.net trixie InRelease

Hit:4 https://deb.debian.org/debian trixie-updates InRelease

Hit:5 https://deb.debian.org/debian trixie-backports InRelease

Hit:6 https://deb.debian.org/debian-security trixie-security InRelease

Hit:9 http://repository.netdata.cloud/repos/repoconfig/debian trixie/ InRelease

Hit:10 https://mirror.mariadb.org/repo/11.8/debian trixie InRelease

All packages are up to date.

The following packages were automatically installed and are no longer required:

  libgnutls-dane0t64  libunbound8

Use 'sudo apt autoremove' to remove them.


DOWNGRADING:

  sgml-base


Summary:

  Upgrading: 0, Installing: 0, Downgrading: 1, Removing: 0, Not Upgrading: 0

  Download size: 12.0 kB

  Space needed: 0 B / 395 GB available


Continue? [Y/n] n

Abort.


user@host:~$ ls -1 /var/lib/apt/lists | egrep 'd17k9fui|Packages|debian\.list' | head -n 200

_etc_apt_mirrors_debian-security.list_dists_trixie-security_main_binary-amd64_Packages

_etc_apt_mirrors_debian.list_dists_trixie-backports_InRelease

_etc_apt_mirrors_debian.list_dists_trixie-backports_main_binary-amd64_Packages

_etc_apt_mirrors_debian.list_dists_trixie-backports_main_i18n_Translation-en

_etc_apt_mirrors_debian.list_dists_trixie-backports_main_source_Sources

_etc_apt_mirrors_debian.list_dists_trixie-updates_InRelease

_etc_apt_mirrors_debian.list_dists_trixie-updates_main_binary-amd64_Packages

_etc_apt_mirrors_debian.list_dists_trixie-updates_main_i18n_Translation-en

_etc_apt_mirrors_debian.list_dists_trixie-updates_main_source_Sources

_etc_apt_mirrors_debian.list_dists_trixie_InRelease

_etc_apt_mirrors_debian.list_dists_trixie_main_binary-amd64_Packages

_etc_apt_mirrors_debian.list_dists_trixie_main_i18n_Translation-en

_etc_apt_mirrors_debian.list_dists_trixie_main_source_Sources

d17k9fuiwb52nc.cloudfront.net_dists_trixie_InRelease

d17k9fuiwb52nc.cloudfront.net_dists_trixie_main_binary-amd64_Packages

d17k9fuiwb52nc.cloudfront.net_dists_trixie_nginx_binary-amd64_Packages

d17k9fuiwb52nc.cloudfront.net_dists_trixie_php-7.1_binary-amd64_Packages

d17k9fuiwb52nc.cloudfront.net_dists_trixie_php-7.2_binary-amd64_Packages

d17k9fuiwb52nc.cloudfront.net_dists_trixie_php-7.3_binary-amd64_Packages

d17k9fuiwb52nc.cloudfront.net_dists_trixie_php-7.4_binary-amd64_Packages

d17k9fuiwb52nc.cloudfront.net_dists_trixie_php-8.0_binary-amd64_Packages

d17k9fuiwb52nc.cloudfront.net_dists_trixie_php-8.1_binary-amd64_Packages

d17k9fuiwb52nc.cloudfront.net_dists_trixie_php-8.2_binary-amd64_Packages

d17k9fuiwb52nc.cloudfront.net_dists_trixie_php-8.3_binary-amd64_Packages

d17k9fuiwb52nc.cloudfront.net_dists_trixie_php-8.4_binary-amd64_Packages

d17k9fuiwb52nc.cloudfront.net_dists_trixie_php-8.5_binary-amd64_Packages

d17k9fuiwb52nc.cloudfront.net_dists_trixie_proftpd_binary-amd64_Packages

d17k9fuiwb52nc.cloudfront.net_dists_trixie_varnish-7_binary-amd64_Packages

mirror.mariadb.org_repo_11.8_debian_dists_trixie_main_binary-amd64_Packages

mirror.mariadb.org_repo_11.8_debian_dists_trixie_main_binary-arm64_Packages

repository.netdata.cloud_repos_repoconfig_debian_trixie_Packages

repository.netdata.cloud_repos_stable_debian_trixie_Packages


user@host:~$ sudo apt install -y lz4

The following packages were automatically installed and are no longer required:

  libgnutls-dane0t64  libunbound8

Use 'sudo apt autoremove' to remove them.


Installing:

  lz4


Summary:

  Upgrading: 0, Installing: 1, Removing: 0, Not Upgrading: 0

  Download size: 51.7 kB

  Space needed: 146 kB / 395 GB available


Get:1 file:/etc/apt/mirrors/debian.list Mirrorlist [30 B]

Get:2 https://deb.debian.org/debian trixie/main amd64 lz4 amd64 1.10.0-4 [51.7 kB]

Fetched 51.7 kB in 0s (409 kB/s)

Selecting previously unselected package lz4.

(Reading database ... 89596 files and directories currently installed.)

Preparing to unpack .../lz4_1.10.0-4_amd64.deb ...

Unpacking lz4 (1.10.0-4) ...

Setting up lz4 (1.10.0-4) ...

Processing triggers for man-db (2.13.1-1) ...


user@host:~$ ls -1 /var/lib/apt/lists/*d17k9fui*Packages*.lz4

ls: cannot access '/var/lib/apt/lists/*d17k9fui*Packages*.lz4': No such file or directory


user@host:~$ ls -1 /var/lib/apt/lists/*mirrors*debian.list*Packages*.lz4

ls: cannot access '/var/lib/apt/lists/*mirrors*debian.list*Packages*.lz4': No such file or directory


user@host:~$ # CloudPanel

user@host:~$ sudo lz4cat /var/lib/apt/lists/*d17k9fui*trixie_main*_Packages*.lz4 \

| awk 'BEGIN{p=0} $0=="Package: sgml-base"{p=1} p{print} p && $0==""{exit}' \

> /tmp/sgml-base.cloudpanel.stanza

/var/lib/apt/lists/*d17k9fui*trixie_main*_Packages*.lz4: No such file or directory


user@host:~$

user@host:~$ # Debian (mirror+file)

user@host:~$ sudo lz4cat /var/lib/apt/lists/*mirrors*debian.list*trixie_main*_Packages*.lz4 \

| awk 'BEGIN{p=0} $0=="Package: sgml-base"{p=1} p{print} p && $0==""{exit}' \

> /tmp/sgml-base.debian.stanza

/var/lib/apt/lists/*mirrors*debian.list*trixie_main*_Packages*.lz4: No such file or directory


user@host:~$ diff -u /tmp/sgml-base.debian.stanza /tmp/sgml-base.cloudpanel.stanza | sed -n '1,200p'


user@host:~$ # adjust exact paths from Filename:

user@host:~$ DEB_FN="pool/main/s/sgml-base/sgml-base_1.31+nmu1_all.deb"

user@host:~$ CP_FN="pool/main/s/sgml-base/sgml-base_1.31+nmu1_all.deb"


user@host:~$ wget -O /tmp/sgml-base.debian.deb "https://deb.debian.org/debian/$DEB_FN"

--2025-12-13 12:42:19--  https://deb.debian.org/debian/pool/main/s/sgml-base/sgml-base_1.31+nmu1_all.deb

Resolving deb.debian.org (deb.debian.org)... 2a04:4e42:3d::644, 199.232.2.132

Connecting to deb.debian.org (deb.debian.org)|2a04:4e42:3d::644|:443... connected.

HTTP request sent, awaiting response... 200 OK

Length: 10868 (11K) [application/vnd.debian.binary-package]

Saving to: '/tmp/sgml-base.debian.deb'


/tmp/sgml-base.debian.deb 100%[=============>]  10.61K  --.-KB/s    in 0s


2025-12-13 12:42:19 (66.2 MB/s) - '/tmp/sgml-base.debian.deb' saved [10868/10868]


user@host:~$ wget -O /tmp/sgml-base.cloudpanel.deb "https://d17k9fuiwb52nc.cloudfront.net/$CP_FN"

--2025-12-13 12:42:20--  https://d17k9fuiwb52nc.cloudfront.net/pool/main/s/sgml-base/sgml-base_1.31+nmu1_all.deb

Resolving d17k9fuiwb52nc.cloudfront.net (d17k9fuiwb52nc.cloudfront.net)... 2600:9000:28b2:2400:1f:bfe9:ea00:93a1, 2600:9000:28b2:7800:1f:bfe9:ea00:93a1, 2600:9000:28b2:2a00:1f:bfe9:ea00:93a1, ...

Connecting to d17k9fuiwb52nc.cloudfront.net (d17k9fuiwb52nc.cloudfront.net)|2600:9000:28b2:2400:1f:bfe9:ea00:93a1|:443... connected.

HTTP request sent, awaiting response... 200 OK

Length: 12026 (12K) [application/octet-stream]

Saving to: '/tmp/sgml-base.cloudpanel.deb'


/tmp/sgml-base.cloudpanel.deb 100%[=============>]  11.74K  --.-KB/s    in 0s


2025-12-13 12:42:20 (209 MB/s) - '/tmp/sgml-base.cloudpanel.deb' saved [12026/12026]


user@host:~$

user@host:~$ sha256sum /tmp/sgml-base.debian.deb /tmp/sgml-base.cloudpanel.deb

a355b832d9f0f4dc9eca1a661080db5dc118e6c435f107a5c4dd201d7af59ba8  /tmp/sgml-base.debian.deb

95e923cec742ff773651bb0230fd0ee14aa1a7e092bd875c413f935729ae397d  /tmp/sgml-base.cloudpanel.deb


user@host:~$ dpkg-deb -I /tmp/sgml-base.debian.deb | sed -n '1,120p'

 new Debian package, version 2.0.

 size 10868 bytes: control archive=2292 bytes.

     763 bytes,    21 lines      control

    1054 bytes,    15 lines      md5sums

    3236 bytes,   115 lines   *  postinst             #!/bin/sh

    1157 bytes,    36 lines   *  postrm               #!/bin/sh

     669 bytes,    21 lines   *  preinst              #!/bin/sh

    1180 bytes,    43 lines   *  prerm                #!/bin/sh

      96 bytes,     4 lines      triggers

 Package: sgml-base

 Version: 1.31+nmu1

 Architecture: all

 Maintainer: Debian QA Group <packages@qa.debian.org>

 Installed-Size: 65

 Suggests: sgml-base-doc

 Section: text

 Priority: optional

 Multi-Arch: foreign

 Description: SGML infrastructure and SGML catalog file support

  This package creates the SGML infrastructure directories and provides

  SGML catalog file support in compliance with the current Debian SGML

  Policy draft:

  .

    * infrastructure directories:

       - /etc/sgml

       - /usr/share/sgml/{declaration,dtd,entities,misc,stylesheet}

       - /usr/share/local/sgml/{declaration,dtd,entities,misc,stylesheet}

  .

    * update-catalog(8): tool for maintaining the root SGML catalog

      file and the package SGML catalog files in the '/etc/sgml' directory.


user@host:~$ dpkg-deb -I /tmp/sgml-base.cloudpanel.deb | sed -n '1,120p'

 new Debian package, version 2.0.

 size 12026 bytes: control archive=2292 bytes.

     763 bytes,    21 lines      control

    1054 bytes,    15 lines      md5sums

    3236 bytes,   115 lines   *  postinst             #!/bin/sh

    1157 bytes,    36 lines   *  postrm               #!/bin/sh

     669 bytes,    21 lines   *  preinst              #!/bin/sh

    1180 bytes,    43 lines   *  prerm                #!/bin/sh

      96 bytes,     4 lines      triggers

 Package: sgml-base

 Version: 1.31+nmu1

 Architecture: all

 Maintainer: Debian QA Group <packages@qa.debian.org>

 Installed-Size: 65

 Suggests: sgml-base-doc

 Section: text

 Priority: optional

 Multi-Arch: foreign

 Description: SGML infrastructure and SGML catalog file support

  This package creates the SGML infrastructure directories and provides

  SGML catalog file support in compliance with the current Debian SGML

  Policy draft:

  .

    * infrastructure directories:

       - /etc/sgml

       - /usr/share/sgml/{declaration,dtd,entities,misc,stylesheet}

       - /usr/share/local/sgml/{declaration,dtd,entities,misc,stylesheet}

  .

    * update-catalog(8): tool for maintaining the root SGML catalog

      file and the package SGML catalog files in the '/etc/sgml' directory.


user@host:~$





On Sat, Dec 13, 2025, 12:03 David Kalnischkies <david@kalnischkies.de> wrote:
Am Thu, Dec 11, 2025 at 11:44:31PM -0300, schrieb Olegário A. Filho:
> 2) apt policy output for the affected package
>
>     # apt policy sgml-base
>     sgml-base:
>       Installed: 1.31+nmu1
>       Candidate: 1.31+nmu1
>       Version table:
>      *** 1.31+nmu1 500
>             500 mirror+file:/etc/apt/mirrors/debian.list trixie/main amd64
> Packages
>             100 /var/lib/dpkg/status
>          1.31+nmu1 1000
>            1000 https://d17k9fuiwb52nc.cloudfront.net trixie/main amd64
> Packages
>
> Note: the same version (1.31+nmu1) is available from both Debian’s mirror
> and CloudPanel’s “trixie main” repository.

That isn't the same version. It has the same version number, yes, but
libapt has detected a subtil difference in those packages. Their hashes
might be different if the package doesn't build reproducibly or the
dependencies (versions) differ. Are you sure the packages are "copied"
and not also (re)build there? Its "easiest" to look at the stanzas in
the Packages files and compare those for EXACT match. libapt does slight
massaging, but even a spurious 0:-epoch can throw it off (not all fields
are compared, but without looking I suspect a dependency with a non-
canonical version number that is differently formatted by different
tools. libapt does not canonicalize version numbers – too expensive).


Given the versions are different and apt detects the installed one as
the one from Debian (also hinting at a small difference caused by
different repository generators) the behaviour you encounter is actually
the one you have configured to happen and is correct.

If the versions are detected as the same, they are grouped together
under the same version number, like the Debian version and the installed
version are grouped together. The other one would be the third line in
this group – if they were detected as the same.


Best regards

David Kalnischkies
Reply to: