Bug#1122637: APT incorrectly attempts to downgrade sgml-base when CloudPanel repository is enabled on Debian 13 (Trixie)

Hello David,

As mentioned, following your advice, I commented out the CloudPanel trixie main repository line (keeping only the component-specific repositories such as nginx, php-*, etc.).

After doing so, I ran apt full-upgrade on the same system, and APT then proposed a large removal set, including the cloudpanel package itself and major parts of the stack (nginx, php, varnish, proftpd), despite the system otherwise being in a consistent state.

This seems to indicate that the presence of the CloudPanel main repository is currently masking deeper dependency / packaging issues, and that removing it exposes unresolved relationships between CloudPanel packages and Debian main.

I am CC’ing the CloudPanel team on this message, as this behaviour may be relevant for them to review from a packaging and repository design perspective.

Thank you once again for your time and for all your contributions to Debian.

Best regards,

Olegário A. Filho

/etc/apt/sources.list.d/packages.cloudpanel.io.list

# deb https://<CLOUDPANEL_CDN>/ trixie main

deb https://<CLOUDPANEL_CDN>/ trixie nginx

deb https://<CLOUDPANEL_CDN>/ trixie php-7.1

deb https://<CLOUDPANEL_CDN>/ trixie php-7.2

deb https://<CLOUDPANEL_CDN>/ trixie php-7.3

deb https://<CLOUDPANEL_CDN>/ trixie php-7.4

deb https://<CLOUDPANEL_CDN>/ trixie php-8.0

deb https://<CLOUDPANEL_CDN>/ trixie php-8.1

deb https://<CLOUDPANEL_CDN>/ trixie php-8.2

deb https://<CLOUDPANEL_CDN>/ trixie php-8.3

deb https://<CLOUDPANEL_CDN>/ trixie php-8.4

deb https://<CLOUDPANEL_CDN>/ trixie php-8.5

deb https://<CLOUDPANEL_CDN>/ trixie proftpd

deb https://<CLOUDPANEL_CDN>/ trixie varnish-7

<USER>@<HOST>:~$ sudo apt update && sudo apt upgrade

Get:1 file:/etc/apt/mirrors/debian.list Mirrorlist [30 B]

Get:2 file:/etc/apt/mirrors/debian-security.list Mirrorlist [39 B]

Hit:7 http://repository.netdata.cloud/repos/stable/debian trixie/ InRelease

Hit:8 https://<CLOUDPANEL_CDN> trixie InRelease

Hit:9 http://repository.netdata.cloud/repos/repoconfig/debian trixie/ InRelease

Hit:3 https://deb.debian.org/debian trixie InRelease

Hit:4 https://deb.debian.org/debian trixie-updates InRelease

Hit:5 https://deb.debian.org/debian trixie-backports InRelease

Hit:6 https://deb.debian.org/debian-security trixie-security InRelease

Hit:10 https://mirror.mariadb.org/repo/11.8/debian trixie InRelease

1 package can be upgraded. Run 'apt list --upgradable' to see it.

The following packages were automatically installed and are no longer required:

libgnutls-dane0t64 libunbound8

Use 'sudo apt autoremove' to remove them.

Not upgrading:

php-common

Summary:

Upgrading: 0, Installing: 0, Removing: 0, Not Upgrading: 1

<USER>@<HOST>:~$ sudo apt full-upgrade

The following packages were automatically installed and are no longer required:

apache2 libxpm4

apache2-bin libxslt1.1

apache2-data libxt6t64

apache2-utils libyajl2

apt-show-versions libyuv0

fail2ban libzip5

fontconfig-config libzmq5

fonts-dejavu-core memcached

fonts-dejavu-mono mlock

fonts-droid-fallback net-tools

fonts-noto-mono nginx

fonts-urw-base35 nginx-common

geoip-database nginx-full

ghostscript optipng

gifsicle php-common

htop php7.1

imagemagick-7-common php7.1-cli

inetutils-telnet php7.1-common

iotop php7.1-intl

jpegoptim php7.1-json

libabsl20240722 php7.1-opcache

libaom3 php7.1-readline

libapache2-mod-php7.1 php7.1-sqlite3

libapache2-mod-php7.2 php7.2

libapache2-mod-php7.3 php7.2-cli

libapache2-mod-php8.1 php7.2-common

libapache2-mod-php8.2 php7.2-curl

libapache2-mod-php8.3 php7.2-json

libapr1t64 php7.2-opcache

libaprutil1-dbd-sqlite3 php7.2-readline

libaprutil1-ldap php7.2-sqlite3

libaprutil1t64 php7.3

libapt-pkg-perl php7.3-cli

libarchive-tools php7.3-common

libargon2-1 php7.3-json

libavahi-client3 php7.3-opcache

libavahi-common-data php7.3-readline

libavahi-common3 php7.3-xmlrpc

libavif16 php8.1

libc-client2007e php8.1-cli

libcups2t64 php8.1-common

libdav1d7 php8.1-intl

libde265-0 php8.1-opcache

libdeflate0 php8.1-readline

libevent-2.1-7t64 php8.2

libfftw3-double3 php8.2-cli

libfontconfig1 php8.2-common

libfontenc1 php8.2-opcache

libgav1-1 php8.2-readline

libgd3 php8.3

libgeoip1t64 php8.3-cli

libgnutls-dane0t64 php8.3-common

libgs-common php8.3-opcache

libgs10 php8.3-readline

libgs10-common php8.4

libhashkit2t64 php8.4-bcmath

libheif-plugin-aomenc php8.4-cli

libheif-plugin-dav1d php8.4-common

libheif-plugin-libde265 php8.4-curl

libheif-plugin-x265 php8.4-fpm

libheif1 php8.4-gd

libhiredis1.1.0 php8.4-intl

libice6 php8.4-mbstring

libidn12 php8.4-mysql

libijs-0.35 php8.4-opcache

libimagequant0 php8.4-readline

libjbig0 php8.4-soap

libjbig2dec0 php8.4-sqlite3

libjpeg62-turbo php8.4-xml

liblcms2-2 php8.4-xsl

liblerc4 php8.4-zip

liblqr-1-0 php8.5

libltdl7 php8.5-bcmath

liblua5.4-0 php8.5-cli

libmagickcore-7.q16-10 php8.5-common

libmagickwand-7.q16-10 php8.5-curl

libmcrypt4 php8.5-fpm

libmemcached11t64 php8.5-gd

libmemcachedutil2t64 php8.5-intl

libnginx-mod-http-auth-pam php8.5-mbstring

libnginx-mod-http-dav-ext php8.5-mysql

libnginx-mod-http-geoip php8.5-readline

libnginx-mod-http-image-filter php8.5-soap

libnginx-mod-http-subs-filter php8.5-sqlite3

libnginx-mod-http-upstream-fair php8.5-xml

libnginx-mod-http-xslt-filter php8.5-xsl

libnginx-mod-mail php8.5-zip

libnginx-mod-ngx-brotli poppler-data

libnginx-mod-stream proftpd-core

libnorm1t64 proftpd-doc

libonig5 pwgen

libopenjp2-7 python3-autocommand

libossp-uuid16 python3-inflect

libpaper-utils python3-jaraco.context

libpaper2 python3-jaraco.functools

libpcre3 python3-jaraco.text

libpgm-5.3-0t64 python3-more-itertools

libpython3.13 python3-pkg-resources

librav1e0.7 python3-pyasyncore

libraw23t64 python3-pyinotify

libsensors-config python3-setuptools

libsensors5 python3-systemd

libsharpyuv0 python3-typeguard

libsm6 python3-zipp

libssl-dev rclone

libsvtav1enc2 sqlite3

libtiff6 sysstat

libunbound8 telnet

libwebp7 unzip

libwebpdemux2 uuid

libwebpmux3 uwsgi

libx11-6 uwsgi-core

libx11-data uwsgi-plugin-python3

libx265-215 varnish

libxau6 whois

libxcb1 x11-common

libxdmcp6 xfonts-encodings

libxext6 xfonts-utils

libxmlrpc-epi0t64 zip

Use 'sudo apt autoremove' to remove them.

Installing dependencies:

apache2 libapache2-mod-php8.1

apache2-bin libapache2-mod-php8.2

apache2-data libapache2-mod-php8.3

libapache2-mod-php7.1 libaprutil1-dbd-sqlite3

libapache2-mod-php7.2 libaprutil1-ldap

libapache2-mod-php7.3 liblua5.4-0

Suggested packages:

apache2-doc | apache2-suexec-custom php-pear

apache2-suexec-pristine www-browser

Not upgrading:

php-common

REMOVING:

cloudpanel php7.3-gd php7.4-zip php8.1-xsl

php7.1-bcmath php7.3-imap php8.0 php8.1-zip

php7.1-curl php7.3-intl php8.0-bcmath php8.2-bcmath

php7.1-fpm php7.3-mbstring php8.0-cli php8.2-curl

php7.1-gd php7.3-mysql php8.0-common php8.2-fpm

php7.1-imap php7.3-soap php8.0-curl php8.2-gd

php7.1-mbstring php7.3-sqlite3 php8.0-fpm php8.2-imap

php7.1-mcrypt php7.3-xml php8.0-gd php8.2-intl

php7.1-mysql php7.3-xsl php8.0-imap php8.2-mbstring

php7.1-soap php7.3-zip php8.0-intl php8.2-mysql

php7.1-xml php7.4 php8.0-mbstring php8.2-soap

php7.1-xmlrpc php7.4-bcmath php8.0-mysql php8.2-sqlite3

php7.1-xsl php7.4-cli php8.0-opcache php8.2-xml

php7.1-zip php7.4-common php8.0-readline php8.2-xsl

php7.2-bcmath php7.4-curl php8.0-soap php8.2-zip

php7.2-fpm php7.4-fpm php8.0-sqlite3 php8.3-bcmath

php7.2-gd php7.4-gd php8.0-xml php8.3-curl

php7.2-imap php7.4-imap php8.0-xsl php8.3-fpm

php7.2-intl php7.4-intl php8.0-zip php8.3-gd

php7.2-mbstring php7.4-json php8.1-bcmath php8.3-imap

php7.2-mysql php7.4-mbstring php8.1-curl php8.3-intl

php7.2-soap php7.4-mysql php8.1-fpm php8.3-mbstring

php7.2-xml php7.4-opcache php8.1-gd php8.3-mysql

php7.2-xmlrpc php7.4-readline php8.1-imap php8.3-soap

php7.2-xsl php7.4-soap php8.1-mbstring php8.3-sqlite3

php7.2-zip php7.4-sqlite3 php8.1-mysql php8.3-xml

php7.3-bcmath php7.4-xml php8.1-soap php8.3-xsl

php7.3-curl php7.4-xmlrpc php8.1-sqlite3 php8.3-zip

php7.3-fpm php7.4-xsl php8.1-xml

Summary:

Upgrading: 0, Installing: 12, Removing: 115, Not Upgrading: 1

Download size: 11.1 MB

Freed space: 395 MB

Continue? [Y/n]

On Sat, Dec 13, 2025, 13:45 Olegário A. Filho <ole.a.filho@gmail.com> wrote:

Dear David,

First of all, thank you very much for taking the time to reply — and more than that, thank you for your long-standing and invaluable contributions to apt/Debian.

Following your message, I went ahead and performed all the suggested checks in detail, to verify whether the packages were truly identical or not, beyond sharing the same version number.

What I verified

I confirmed that:

1. APT correctly detects them as different packages, despite sharing the same version string (1.31+nmu1), which already explains the behavior observed.

2. I extracted and compared the actual .deb files provided by:

Debian official repository (deb.debian.org)

CloudPanel repository (d17k9fuiwb52nc.cloudfront.net)

3. The packages are not byte-identical:

Different file sizes

Different SHA256 hashes

Debian: 10868 bytes sha256 a355b832d9f0f4dc9eca1a661080db5dc118e6c435f107a5c4dd201d7af59ba8
CloudPanel: 12026 bytes sha256 95e923cec742ff773651bb0230fd0ee14aa1a7e092bd875c413f935729ae397d

4. Inspecting the control metadata (dpkg-deb -I) shows the same declared version and metadata fields, but clearly the binaries are not identical, confirming your point that these are distinct builds, not mere mirrors.

So your analysis was absolutely correct:
APT is behaving exactly as configured, and the repeated downgrade prompt is a direct consequence of the repository setup.

Practical conclusion on my side

From an operational and policy standpoint, I have decided to comment out the trixie main entry from the CloudPanel repository on my system.

CloudPanel already provides its required components via dedicated suites (nginx, PHP versions, varnish, etc.), and allowing a third-party repository to also publish packages from Debian main — especially when they are rebuilt or modified — seems risky and contrary to best practices for system stability.

I must admit that I still do not fully understand why CloudPanel maintains a main component at all, instead of restricting their repository strictly to the packages they actively maintain.

For this reason, I am re-CC’ing the CloudPanel team on this thread, so they can review whether publishing Debian base packages under main is really intentional and advisable, particularly on Debian 13.

Appendix

Below I will include the full list of commands and outputs used during the investigation (as previously shared), for completeness and reproducibility.

Once again, thank you very much for the clarification, the technical depth of your explanation, and for confirming that the observed behavior is correct given the current repository configuration.

Best regards,
Olegário A. Filho

------------------------------------------

Last login: Sat Dec 13 12:35:32 2025 from [REDACTED-IP]
user@host:~$ sudo apt update && sudo apt upgrade
[sudo] password for user:
Get:1 file:/etc/apt/mirrors/debian.list Mirrorlist [30 B]
Get:5 file:/etc/apt/mirrors/debian-security.list Mirrorlist [39 B]
Hit:6 http://repository.netdata.cloud/repos/stable/debian trixie/ InRelease
Hit:8 http://repository.netdata.cloud/repos/repoconfig/debian trixie/ InRelease
Hit:9 https://d17k9fuiwb52nc.cloudfront.net trixie InRelease
Hit:2 https://deb.debian.org/debian trixie InRelease
Hit:3 https://deb.debian.org/debian trixie-updates InRelease
Hit:4 https://deb.debian.org/debian trixie-backports InRelease
Hit:7 https://deb.debian.org/debian-security trixie-security InRelease
Hit:10 https://mirror.mariadb.org/repo/11.8/debian trixie InRelease
All packages are up to date.
The following packages were automatically installed and are no longer required:
  libgnutls-dane0t64 libunbound8
Use 'sudo apt autoremove' to remove them.

DOWNGRADING:
  sgml-base

Summary:
  Upgrading: 0, Installing: 0, Downgrading: 1, Removing: 0, Not Upgrading: 0
  Download size: 12.0 kB
  Space needed: 0 B / 395 GB available

Continue? [Y/n] y
Get:1 https://d17k9fuiwb52nc.cloudfront.net trixie/main amd64 sgml-base all 1.31+nmu1 [12.0 kB]
Fetched 12.0 kB in 0s (158 kB/s)
(Reading database ... 89596 files and directories currently installed.)
Preparing to unpack .../sgml-base_1.31+nmu1_all.deb ...
Unpacking sgml-base (1.31+nmu1) over (1.31+nmu1) ...
Setting up sgml-base (1.31+nmu1) ...
Processing triggers for man-db (2.13.1-1) ...

user@host:~$ sudo apt update && sudo apt upgrade
Get:1 file:/etc/apt/mirrors/debian.list Mirrorlist [30 B]
Get:2 file:/etc/apt/mirrors/debian-security.list Mirrorlist [39 B]
Hit:7 http://repository.netdata.cloud/repos/stable/debian trixie/ InRelease
Hit:3 https://deb.debian.org/debian trixie InRelease
Hit:8 https://d17k9fuiwb52nc.cloudfront.net trixie InRelease
Hit:4 https://deb.debian.org/debian trixie-updates InRelease
Hit:5 https://deb.debian.org/debian trixie-backports InRelease
Hit:6 https://deb.debian.org/debian-security trixie-security InRelease
Hit:9 http://repository.netdata.cloud/repos/repoconfig/debian trixie/ InRelease
Hit:10 https://mirror.mariadb.org/repo/11.8/debian trixie InRelease
All packages are up to date.
The following packages were automatically installed and are no longer required:
  libgnutls-dane0t64 libunbound8
Use 'sudo apt autoremove' to remove them.

DOWNGRADING:
  sgml-base

Summary:
  Upgrading: 0, Installing: 0, Downgrading: 1, Removing: 0, Not Upgrading: 0
  Download size: 12.0 kB
  Space needed: 0 B / 395 GB available

Continue? [Y/n] y
Get:1 https://d17k9fuiwb52nc.cloudfront.net trixie/main amd64 sgml-base all 1.31+nmu1 [12.0 kB]
Fetched 12.0 kB in 0s (172 kB/s)
(Reading database ... 89596 files and directories currently installed.)
Preparing to unpack .../sgml-base_1.31+nmu1_all.deb ...
Unpacking sgml-base (1.31+nmu1) over (1.31+nmu1) ...
Setting up sgml-base (1.31+nmu1) ...
Processing triggers for man-db (2.13.1-1) ...

user@host:~$ sudo apt update && sudo apt upgrade
Get:1 file:/etc/apt/mirrors/debian.list Mirrorlist [30 B]
Get:2 file:/etc/apt/mirrors/debian-security.list Mirrorlist [39 B]
Hit:7 http://repository.netdata.cloud/repos/stable/debian trixie/ InRelease
Hit:3 https://deb.debian.org/debian trixie InRelease
Hit:8 https://d17k9fuiwb52nc.cloudfront.net trixie InRelease
Hit:4 https://deb.debian.org/debian trixie-updates InRelease
Hit:5 https://deb.debian.org/debian trixie-backports InRelease
Hit:6 https://deb.debian.org/debian-security trixie-security InRelease
Hit:9 http://repository.netdata.cloud/repos/repoconfig/debian trixie/ InRelease
Hit:10 https://mirror.mariadb.org/repo/11.8/debian trixie InRelease
All packages are up to date.
The following packages were automatically installed and are no longer required:
  libgnutls-dane0t64 libunbound8
Use 'sudo apt autoremove' to remove them.

DOWNGRADING:
  sgml-base

Summary:
  Upgrading: 0, Installing: 0, Downgrading: 1, Removing: 0, Not Upgrading: 0
  Download size: 12.0 kB
  Space needed: 0 B / 395 GB available

Continue? [Y/n] n
Abort.

user@host:~$ ls -1 /var/lib/apt/lists | egrep 'd17k9fui|Packages|debian\.list' | head -n 200
_etc_apt_mirrors_debian-security.list_dists_trixie-security_main_binary-amd64_Packages
_etc_apt_mirrors_debian.list_dists_trixie-backports_InRelease
_etc_apt_mirrors_debian.list_dists_trixie-backports_main_binary-amd64_Packages
_etc_apt_mirrors_debian.list_dists_trixie-backports_main_i18n_Translation-en
_etc_apt_mirrors_debian.list_dists_trixie-backports_main_source_Sources
_etc_apt_mirrors_debian.list_dists_trixie-updates_InRelease
_etc_apt_mirrors_debian.list_dists_trixie-updates_main_binary-amd64_Packages
_etc_apt_mirrors_debian.list_dists_trixie-updates_main_i18n_Translation-en
_etc_apt_mirrors_debian.list_dists_trixie-updates_main_source_Sources
_etc_apt_mirrors_debian.list_dists_trixie_InRelease
_etc_apt_mirrors_debian.list_dists_trixie_main_binary-amd64_Packages
_etc_apt_mirrors_debian.list_dists_trixie_main_i18n_Translation-en
_etc_apt_mirrors_debian.list_dists_trixie_main_source_Sources
d17k9fuiwb52nc.cloudfront.net_dists_trixie_InRelease
d17k9fuiwb52nc.cloudfront.net_dists_trixie_main_binary-amd64_Packages
d17k9fuiwb52nc.cloudfront.net_dists_trixie_nginx_binary-amd64_Packages
d17k9fuiwb52nc.cloudfront.net_dists_trixie_php-7.1_binary-amd64_Packages
d17k9fuiwb52nc.cloudfront.net_dists_trixie_php-7.2_binary-amd64_Packages
d17k9fuiwb52nc.cloudfront.net_dists_trixie_php-7.3_binary-amd64_Packages
d17k9fuiwb52nc.cloudfront.net_dists_trixie_php-7.4_binary-amd64_Packages
d17k9fuiwb52nc.cloudfront.net_dists_trixie_php-8.0_binary-amd64_Packages
d17k9fuiwb52nc.cloudfront.net_dists_trixie_php-8.1_binary-amd64_Packages
d17k9fuiwb52nc.cloudfront.net_dists_trixie_php-8.2_binary-amd64_Packages
d17k9fuiwb52nc.cloudfront.net_dists_trixie_php-8.3_binary-amd64_Packages
d17k9fuiwb52nc.cloudfront.net_dists_trixie_php-8.4_binary-amd64_Packages
d17k9fuiwb52nc.cloudfront.net_dists_trixie_php-8.5_binary-amd64_Packages
d17k9fuiwb52nc.cloudfront.net_dists_trixie_proftpd_binary-amd64_Packages
d17k9fuiwb52nc.cloudfront.net_dists_trixie_varnish-7_binary-amd64_Packages
mirror.mariadb.org_repo_11.8_debian_dists_trixie_main_binary-amd64_Packages
mirror.mariadb.org_repo_11.8_debian_dists_trixie_main_binary-arm64_Packages
repository.netdata.cloud_repos_repoconfig_debian_trixie_Packages
repository.netdata.cloud_repos_stable_debian_trixie_Packages

user@host:~$ sudo apt install -y lz4
The following packages were automatically installed and are no longer required:
  libgnutls-dane0t64 libunbound8
Use 'sudo apt autoremove' to remove them.

Installing:
  lz4

Summary:
  Upgrading: 0, Installing: 1, Removing: 0, Not Upgrading: 0
  Download size: 51.7 kB
  Space needed: 146 kB / 395 GB available

Get:1 file:/etc/apt/mirrors/debian.list Mirrorlist [30 B]
Get:2 https://deb.debian.org/debian trixie/main amd64 lz4 amd64 1.10.0-4 [51.7 kB]
Fetched 51.7 kB in 0s (409 kB/s)
Selecting previously unselected package lz4.
(Reading database ... 89596 files and directories currently installed.)
Preparing to unpack .../lz4_1.10.0-4_amd64.deb ...
Unpacking lz4 (1.10.0-4) ...
Setting up lz4 (1.10.0-4) ...
Processing triggers for man-db (2.13.1-1) ...

user@host:~$ ls -1 /var/lib/apt/lists/*d17k9fui*Packages*.lz4
ls: cannot access '/var/lib/apt/lists/*d17k9fui*Packages*.lz4': No such file or directory

user@host:~$ ls -1 /var/lib/apt/lists/*mirrors*debian.list*Packages*.lz4
ls: cannot access '/var/lib/apt/lists/*mirrors*debian.list*Packages*.lz4': No such file or directory

user@host:~$ # CloudPanel
user@host:~$ sudo lz4cat /var/lib/apt/lists/*d17k9fui*trixie_main*_Packages*.lz4 \
| awk 'BEGIN{p=0} $0=="Package: sgml-base"{p=1} p{print} p && $0==""{exit}' \
> /tmp/sgml-base.cloudpanel.stanza
/var/lib/apt/lists/*d17k9fui*trixie_main*_Packages*.lz4: No such file or directory

user@host:~$
user@host:~$ # Debian (mirror+file)
user@host:~$ sudo lz4cat /var/lib/apt/lists/*mirrors*debian.list*trixie_main*_Packages*.lz4 \
| awk 'BEGIN{p=0} $0=="Package: sgml-base"{p=1} p{print} p && $0==""{exit}' \
> /tmp/sgml-base.debian.stanza
/var/lib/apt/lists/*mirrors*debian.list*trixie_main*_Packages*.lz4: No such file or directory

user@host:~$ diff -u /tmp/sgml-base.debian.stanza /tmp/sgml-base.cloudpanel.stanza | sed -n '1,200p'

user@host:~$ # adjust exact paths from Filename:
user@host:~$ DEB_FN="pool/main/s/sgml-base/sgml-base_1.31+nmu1_all.deb"
user@host:~$ CP_FN="pool/main/s/sgml-base/sgml-base_1.31+nmu1_all.deb"

user@host:~$ wget -O /tmp/sgml-base.debian.deb "https://deb.debian.org/debian/$DEB_FN"
--2025-12-13 12:42:19-- https://deb.debian.org/debian/pool/main/s/sgml-base/sgml-base_1.31+nmu1_all.deb
Resolving deb.debian.org (deb.debian.org)... 2a04:4e42:3d::644, 199.232.2.132
Connecting to deb.debian.org (deb.debian.org)|2a04:4e42:3d::644|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 10868 (11K) [application/vnd.debian.binary-package]
Saving to: '/tmp/sgml-base.debian.deb'

/tmp/sgml-base.debian.deb 100%[=============>] 10.61K --.-KB/s in 0s

2025-12-13 12:42:19 (66.2 MB/s) - '/tmp/sgml-base.debian.deb' saved [10868/10868]

user@host:~$ wget -O /tmp/sgml-base.cloudpanel.deb "https://d17k9fuiwb52nc.cloudfront.net/$CP_FN"
--2025-12-13 12:42:20-- https://d17k9fuiwb52nc.cloudfront.net/pool/main/s/sgml-base/sgml-base_1.31+nmu1_all.deb
Resolving d17k9fuiwb52nc.cloudfront.net (d17k9fuiwb52nc.cloudfront.net)... 2600:9000:28b2:2400:1f:bfe9:ea00:93a1, 2600:9000:28b2:7800:1f:bfe9:ea00:93a1, 2600:9000:28b2:2a00:1f:bfe9:ea00:93a1, ...
Connecting to d17k9fuiwb52nc.cloudfront.net (d17k9fuiwb52nc.cloudfront.net)|2600:9000:28b2:2400:1f:bfe9:ea00:93a1|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 12026 (12K) [application/octet-stream]
Saving to: '/tmp/sgml-base.cloudpanel.deb'

/tmp/sgml-base.cloudpanel.deb 100%[=============>] 11.74K --.-KB/s in 0s

2025-12-13 12:42:20 (209 MB/s) - '/tmp/sgml-base.cloudpanel.deb' saved [12026/12026]

user@host:~$
user@host:~$ sha256sum /tmp/sgml-base.debian.deb /tmp/sgml-base.cloudpanel.deb
a355b832d9f0f4dc9eca1a661080db5dc118e6c435f107a5c4dd201d7af59ba8 /tmp/sgml-base.debian.deb
95e923cec742ff773651bb0230fd0ee14aa1a7e092bd875c413f935729ae397d /tmp/sgml-base.cloudpanel.deb

user@host:~$ dpkg-deb -I /tmp/sgml-base.debian.deb | sed -n '1,120p'
new Debian package, version 2.0.
size 10868 bytes: control archive=2292 bytes.
     763 bytes, 21 lines control
    1054 bytes, 15 lines md5sums
    3236 bytes, 115 lines * postinst #!/bin/sh
    1157 bytes, 36 lines * postrm #!/bin/sh
     669 bytes, 21 lines * preinst #!/bin/sh
    1180 bytes, 43 lines * prerm #!/bin/sh
      96 bytes, 4 lines triggers
Package: sgml-base
Version: 1.31+nmu1
Architecture: all
Maintainer: Debian QA Group <packages@qa.debian.org>
Installed-Size: 65
Suggests: sgml-base-doc
Section: text
Priority: optional
Multi-Arch: foreign
Description: SGML infrastructure and SGML catalog file support
  This package creates the SGML infrastructure directories and provides
  SGML catalog file support in compliance with the current Debian SGML
  Policy draft:
  .
    * infrastructure directories:
       - /etc/sgml
       - /usr/share/sgml/{declaration,dtd,entities,misc,stylesheet}
       - /usr/share/local/sgml/{declaration,dtd,entities,misc,stylesheet}
  .
    * update-catalog(8): tool for maintaining the root SGML catalog
      file and the package SGML catalog files in the '/etc/sgml' directory.

user@host:~$ dpkg-deb -I /tmp/sgml-base.cloudpanel.deb | sed -n '1,120p'
new Debian package, version 2.0.
size 12026 bytes: control archive=2292 bytes.
     763 bytes, 21 lines control
    1054 bytes, 15 lines md5sums
    3236 bytes, 115 lines * postinst #!/bin/sh
    1157 bytes, 36 lines * postrm #!/bin/sh
     669 bytes, 21 lines * preinst #!/bin/sh
    1180 bytes, 43 lines * prerm #!/bin/sh
      96 bytes, 4 lines triggers
Package: sgml-base
Version: 1.31+nmu1
Architecture: all
Maintainer: Debian QA Group <packages@qa.debian.org>
Installed-Size: 65
Suggests: sgml-base-doc
Section: text
Priority: optional
Multi-Arch: foreign
Description: SGML infrastructure and SGML catalog file support
  This package creates the SGML infrastructure directories and provides
  SGML catalog file support in compliance with the current Debian SGML
  Policy draft:
  .
    * infrastructure directories:
       - /etc/sgml
       - /usr/share/sgml/{declaration,dtd,entities,misc,stylesheet}
       - /usr/share/local/sgml/{declaration,dtd,entities,misc,stylesheet}
  .
    * update-catalog(8): tool for maintaining the root SGML catalog
      file and the package SGML catalog files in the '/etc/sgml' directory.

user@host:~$

On Sat, Dec 13, 2025, 12:03 David Kalnischkies <david@kalnischkies.de> wrote:
Am Thu, Dec 11, 2025 at 11:44:31PM -0300, schrieb Olegário A. Filho:
> 2) apt policy output for the affected package
>
> # apt policy sgml-base
> sgml-base:
> Installed: 1.31+nmu1
> Candidate: 1.31+nmu1
> Version table:
> *** 1.31+nmu1 500
> 500 mirror+file:/etc/apt/mirrors/debian.list trixie/main amd64
> Packages
> 100 /var/lib/dpkg/status
> 1.31+nmu1 1000
> 1000 https://d17k9fuiwb52nc.cloudfront.net trixie/main amd64
> Packages
>
> Note: the same version (1.31+nmu1) is available from both Debian’s mirror
> and CloudPanel’s “trixie main” repository.

That isn't the same version. It has the same version number, yes, but
libapt has detected a subtil difference in those packages. Their hashes
might be different if the package doesn't build reproducibly or the
dependencies (versions) differ. Are you sure the packages are "copied"
and not also (re)build there? Its "easiest" to look at the stanzas in
the Packages files and compare those for EXACT match. libapt does slight
massaging, but even a spurious 0:-epoch can throw it off (not all fields
are compared, but without looking I suspect a dependency with a non-
canonical version number that is differently formatted by different
tools. libapt does not canonicalize version numbers – too expensive).

Given the versions are different and apt detects the installed one as
the one from Debian (also hinting at a small difference caused by
different repository generators) the behaviour you encounter is actually
the one you have configured to happen and is correct.

If the versions are detected as the same, they are grouped together
under the same version number, like the Debian version and the installed
version are grouped together. The other one would be the third line in
this group – if they were detected as the same.

Best regards

David Kalnischkies