Dear David, First of all, thank you very much for taking the time to reply — and more than that, thank you for your long-standing and invaluable contributions to apt/Debian.
Following your message, I went ahead and performed all the suggested checks in detail, to verify whether the packages were truly identical or not, beyond sharing the same version number. What I verified I confirmed that: 1. APT correctly detects them as different packages, despite sharing the same version string (1.31+nmu1), which already explains the behavior observed. 2. I extracted and compared the actual .deb files provided by: Debian official repository (deb.debian.org) CloudPanel repository (d17k9fuiwb52nc.cloudfront.net) 3. The packages are not byte-identical: Different file sizes Different SHA256 hashes Debian: 10868 bytes sha256 a355b832d9f0f4dc9eca1a661080db5dc118e6c435f107a5c4dd201d7af59ba8 CloudPanel: 12026 bytes sha256 95e923cec742ff773651bb0230fd0ee14aa1a7e092bd875c413f935729ae397d 4. Inspecting the control metadata (dpkg-deb -I) shows the same declared version and metadata fields, but clearly the binaries are not identical, confirming your point that these are distinct builds, not mere mirrors. So your analysis was absolutely correct: APT is behaving exactly as configured, and the repeated downgrade prompt is a direct consequence of the repository setup. Practical conclusion on my side >From an operational and policy standpoint, I have decided to comment out the trixie main entry from the CloudPanel repository on my system. CloudPanel already provides its required components via dedicated suites (nginx, PHP versions, varnish, etc.), and allowing a third-party repository to also publish packages from Debian main — especially when they are rebuilt or modified — seems risky and contrary to best practices for system stability. I must admit that I still do not fully understand why CloudPanel maintains a main component at all, instead of restricting their repository strictly to the packages they actively maintain. For this reason, I am re-CC’ing the CloudPanel team on this thread, so they can review whether publishing Debian base packages under main is really intentional and advisable, particularly on Debian 13. Appendix Below I will include the full list of commands and outputs used during the investigation (as previously shared), for completeness and reproducibility. Once again, thank you very much for the clarification, the technical depth of your explanation, and for confirming that the observed behavior is correct given the current repository configuration. Best regards, Olegário A. Filho ------------------------------------------ Last login: Sat Dec 13 12:35:32 2025 from [REDACTED-IP] user@host:~$ sudo apt update && sudo apt upgrade [sudo] password for user: Get:1 file:/etc/apt/mirrors/debian.list Mirrorlist [30 B] Get:5 file:/etc/apt/mirrors/debian-security.list Mirrorlist [39 B] Hit:6 http://repository.netdata.cloud/repos/stable/debian trixie/ InRelease Hit:8 http://repository.netdata.cloud/repos/repoconfig/debian trixie/ InRelease Hit:9 https://d17k9fuiwb52nc.cloudfront.net trixie InRelease Hit:2 https://deb.debian.org/debian trixie InRelease Hit:3 https://deb.debian.org/debian trixie-updates InRelease Hit:4 https://deb.debian.org/debian trixie-backports InRelease Hit:7 https://deb.debian.org/debian-security trixie-security InRelease Hit:10 https://mirror.mariadb.org/repo/11.8/debian trixie InRelease All packages are up to date. The following packages were automatically installed and are no longer required: libgnutls-dane0t64 libunbound8 Use 'sudo apt autoremove' to remove them. DOWNGRADING: sgml-base Summary: Upgrading: 0, Installing: 0, Downgrading: 1, Removing: 0, Not Upgrading: 0 Download size: 12.0 kB Space needed: 0 B / 395 GB available Continue? [Y/n] y Get:1 https://d17k9fuiwb52nc.cloudfront.net trixie/main amd64 sgml-base all 1.31+nmu1 [12.0 kB] Fetched 12.0 kB in 0s (158 kB/s) (Reading database ... 89596 files and directories currently installed.) Preparing to unpack .../sgml-base_1.31+nmu1_all.deb ... Unpacking sgml-base (1.31+nmu1) over (1.31+nmu1) ... Setting up sgml-base (1.31+nmu1) ... Processing triggers for man-db (2.13.1-1) ... user@host:~$ sudo apt update && sudo apt upgrade Get:1 file:/etc/apt/mirrors/debian.list Mirrorlist [30 B] Get:2 file:/etc/apt/mirrors/debian-security.list Mirrorlist [39 B] Hit:7 http://repository.netdata.cloud/repos/stable/debian trixie/ InRelease Hit:3 https://deb.debian.org/debian trixie InRelease Hit:8 https://d17k9fuiwb52nc.cloudfront.net trixie InRelease Hit:4 https://deb.debian.org/debian trixie-updates InRelease Hit:5 https://deb.debian.org/debian trixie-backports InRelease Hit:6 https://deb.debian.org/debian-security trixie-security InRelease Hit:9 http://repository.netdata.cloud/repos/repoconfig/debian trixie/ InRelease Hit:10 https://mirror.mariadb.org/repo/11.8/debian trixie InRelease All packages are up to date. The following packages were automatically installed and are no longer required: libgnutls-dane0t64 libunbound8 Use 'sudo apt autoremove' to remove them. DOWNGRADING: sgml-base Summary: Upgrading: 0, Installing: 0, Downgrading: 1, Removing: 0, Not Upgrading: 0 Download size: 12.0 kB Space needed: 0 B / 395 GB available Continue? [Y/n] y Get:1 https://d17k9fuiwb52nc.cloudfront.net trixie/main amd64 sgml-base all 1.31+nmu1 [12.0 kB] Fetched 12.0 kB in 0s (172 kB/s) (Reading database ... 89596 files and directories currently installed.) Preparing to unpack .../sgml-base_1.31+nmu1_all.deb ... Unpacking sgml-base (1.31+nmu1) over (1.31+nmu1) ... Setting up sgml-base (1.31+nmu1) ... Processing triggers for man-db (2.13.1-1) ... user@host:~$ sudo apt update && sudo apt upgrade Get:1 file:/etc/apt/mirrors/debian.list Mirrorlist [30 B] Get:2 file:/etc/apt/mirrors/debian-security.list Mirrorlist [39 B] Hit:7 http://repository.netdata.cloud/repos/stable/debian trixie/ InRelease Hit:3 https://deb.debian.org/debian trixie InRelease Hit:8 https://d17k9fuiwb52nc.cloudfront.net trixie InRelease Hit:4 https://deb.debian.org/debian trixie-updates InRelease Hit:5 https://deb.debian.org/debian trixie-backports InRelease Hit:6 https://deb.debian.org/debian-security trixie-security InRelease Hit:9 http://repository.netdata.cloud/repos/repoconfig/debian trixie/ InRelease Hit:10 https://mirror.mariadb.org/repo/11.8/debian trixie InRelease All packages are up to date. The following packages were automatically installed and are no longer required: libgnutls-dane0t64 libunbound8 Use 'sudo apt autoremove' to remove them. DOWNGRADING: sgml-base Summary: Upgrading: 0, Installing: 0, Downgrading: 1, Removing: 0, Not Upgrading: 0 Download size: 12.0 kB Space needed: 0 B / 395 GB available Continue? [Y/n] n Abort. user@host:~$ ls -1 /var/lib/apt/lists | egrep 'd17k9fui|Packages|debian\.list' | head -n 200 _etc_apt_mirrors_debian-security.list_dists_trixie-security_main_binary-amd64_Packages _etc_apt_mirrors_debian.list_dists_trixie-backports_InRelease _etc_apt_mirrors_debian.list_dists_trixie-backports_main_binary-amd64_Packages _etc_apt_mirrors_debian.list_dists_trixie-backports_main_i18n_Translation-en _etc_apt_mirrors_debian.list_dists_trixie-backports_main_source_Sources _etc_apt_mirrors_debian.list_dists_trixie-updates_InRelease _etc_apt_mirrors_debian.list_dists_trixie-updates_main_binary-amd64_Packages _etc_apt_mirrors_debian.list_dists_trixie-updates_main_i18n_Translation-en _etc_apt_mirrors_debian.list_dists_trixie-updates_main_source_Sources _etc_apt_mirrors_debian.list_dists_trixie_InRelease _etc_apt_mirrors_debian.list_dists_trixie_main_binary-amd64_Packages _etc_apt_mirrors_debian.list_dists_trixie_main_i18n_Translation-en _etc_apt_mirrors_debian.list_dists_trixie_main_source_Sources d17k9fuiwb52nc.cloudfront.net_dists_trixie_InRelease d17k9fuiwb52nc.cloudfront.net_dists_trixie_main_binary-amd64_Packages d17k9fuiwb52nc.cloudfront.net_dists_trixie_nginx_binary-amd64_Packages d17k9fuiwb52nc.cloudfront.net_dists_trixie_php-7.1_binary-amd64_Packages d17k9fuiwb52nc.cloudfront.net_dists_trixie_php-7.2_binary-amd64_Packages d17k9fuiwb52nc.cloudfront.net_dists_trixie_php-7.3_binary-amd64_Packages d17k9fuiwb52nc.cloudfront.net_dists_trixie_php-7.4_binary-amd64_Packages d17k9fuiwb52nc.cloudfront.net_dists_trixie_php-8.0_binary-amd64_Packages d17k9fuiwb52nc.cloudfront.net_dists_trixie_php-8.1_binary-amd64_Packages d17k9fuiwb52nc.cloudfront.net_dists_trixie_php-8.2_binary-amd64_Packages d17k9fuiwb52nc.cloudfront.net_dists_trixie_php-8.3_binary-amd64_Packages d17k9fuiwb52nc.cloudfront.net_dists_trixie_php-8.4_binary-amd64_Packages d17k9fuiwb52nc.cloudfront.net_dists_trixie_php-8.5_binary-amd64_Packages d17k9fuiwb52nc.cloudfront.net_dists_trixie_proftpd_binary-amd64_Packages d17k9fuiwb52nc.cloudfront.net_dists_trixie_varnish-7_binary-amd64_Packages mirror.mariadb.org_repo_11.8_debian_dists_trixie_main_binary-amd64_Packages mirror.mariadb.org_repo_11.8_debian_dists_trixie_main_binary-arm64_Packages repository.netdata.cloud_repos_repoconfig_debian_trixie_Packages repository.netdata.cloud_repos_stable_debian_trixie_Packages user@host:~$ sudo apt install -y lz4 The following packages were automatically installed and are no longer required: libgnutls-dane0t64 libunbound8 Use 'sudo apt autoremove' to remove them. Installing: lz4 Summary: Upgrading: 0, Installing: 1, Removing: 0, Not Upgrading: 0 Download size: 51.7 kB Space needed: 146 kB / 395 GB available Get:1 file:/etc/apt/mirrors/debian.list Mirrorlist [30 B] Get:2 https://deb.debian.org/debian trixie/main amd64 lz4 amd64 1.10.0-4 [51.7 kB] Fetched 51.7 kB in 0s (409 kB/s) Selecting previously unselected package lz4. (Reading database ... 89596 files and directories currently installed.) Preparing to unpack .../lz4_1.10.0-4_amd64.deb ... Unpacking lz4 (1.10.0-4) ... Setting up lz4 (1.10.0-4) ... Processing triggers for man-db (2.13.1-1) ... user@host:~$ ls -1 /var/lib/apt/lists/*d17k9fui*Packages*.lz4 ls: cannot access '/var/lib/apt/lists/*d17k9fui*Packages*.lz4': No such file or directory user@host:~$ ls -1 /var/lib/apt/lists/*mirrors*debian.list*Packages*.lz4 ls: cannot access '/var/lib/apt/lists/*mirrors*debian.list*Packages*.lz4': No such file or directory user@host:~$ # CloudPanel user@host:~$ sudo lz4cat /var/lib/apt/lists/*d17k9fui*trixie_main*_Packages*.lz4 \ | awk 'BEGIN{p=0} $0=="Package: sgml-base"{p=1} p{print} p && $0==""{exit}' \ > /tmp/sgml-base.cloudpanel.stanza /var/lib/apt/lists/*d17k9fui*trixie_main*_Packages*.lz4: No such file or directory user@host:~$ user@host:~$ # Debian (mirror+file) user@host:~$ sudo lz4cat /var/lib/apt/lists/*mirrors*debian.list*trixie_main*_Packages*.lz4 \ | awk 'BEGIN{p=0} $0=="Package: sgml-base"{p=1} p{print} p && $0==""{exit}' \ > /tmp/sgml-base.debian.stanza /var/lib/apt/lists/*mirrors*debian.list*trixie_main*_Packages*.lz4: No such file or directory user@host:~$ diff -u /tmp/sgml-base.debian.stanza /tmp/sgml-base.cloudpanel.stanza | sed -n '1,200p' user@host:~$ # adjust exact paths from Filename: user@host:~$ DEB_FN="pool/main/s/sgml-base/sgml-base_1.31+nmu1_all.deb" user@host:~$ CP_FN="pool/main/s/sgml-base/sgml-base_1.31+nmu1_all.deb" user@host:~$ wget -O /tmp/sgml-base.debian.deb " https://deb.debian.org/debian/$DEB_FN"; --2025-12-13 12:42:19-- https://deb.debian.org/debian/pool/main/s/sgml-base/sgml-base_1.31+nmu1_all.deb Resolving deb.debian.org (deb.debian.org)... 2a04:4e42:3d::644, 199.232.2.132 Connecting to deb.debian.org (deb.debian.org)|2a04:4e42:3d::644|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 10868 (11K) [application/vnd.debian.binary-package] Saving to: '/tmp/sgml-base.debian.deb' /tmp/sgml-base.debian.deb 100%[=============>] 10.61K --.-KB/s in 0s 2025-12-13 12:42:19 (66.2 MB/s) - '/tmp/sgml-base.debian.deb' saved [10868/10868] user@host:~$ wget -O /tmp/sgml-base.cloudpanel.deb " https://d17k9fuiwb52nc.cloudfront.net/$CP_FN"; --2025-12-13 12:42:20-- https://d17k9fuiwb52nc.cloudfront.net/pool/main/s/sgml-base/sgml-base_1.31+nmu1_all.deb Resolving d17k9fuiwb52nc.cloudfront.net (d17k9fuiwb52nc.cloudfront.net)... 2600:9000:28b2:2400:1f:bfe9:ea00:93a1, 2600:9000:28b2:7800:1f:bfe9:ea00:93a1, 2600:9000:28b2:2a00:1f:bfe9:ea00:93a1, ... Connecting to d17k9fuiwb52nc.cloudfront.net (d17k9fuiwb52nc.cloudfront.net)|2600:9000:28b2:2400:1f:bfe9:ea00:93a1|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 12026 (12K) [application/octet-stream] Saving to: '/tmp/sgml-base.cloudpanel.deb' /tmp/sgml-base.cloudpanel.deb 100%[=============>] 11.74K --.-KB/s in 0s 2025-12-13 12:42:20 (209 MB/s) - '/tmp/sgml-base.cloudpanel.deb' saved [12026/12026] user@host:~$ user@host:~$ sha256sum /tmp/sgml-base.debian.deb /tmp/sgml-base.cloudpanel.deb a355b832d9f0f4dc9eca1a661080db5dc118e6c435f107a5c4dd201d7af59ba8 /tmp/sgml-base.debian.deb 95e923cec742ff773651bb0230fd0ee14aa1a7e092bd875c413f935729ae397d /tmp/sgml-base.cloudpanel.deb user@host:~$ dpkg-deb -I /tmp/sgml-base.debian.deb | sed -n '1,120p' new Debian package, version 2.0. size 10868 bytes: control archive=2292 bytes. 763 bytes, 21 lines control 1054 bytes, 15 lines md5sums 3236 bytes, 115 lines * postinst #!/bin/sh 1157 bytes, 36 lines * postrm #!/bin/sh 669 bytes, 21 lines * preinst #!/bin/sh 1180 bytes, 43 lines * prerm #!/bin/sh 96 bytes, 4 lines triggers Package: sgml-base Version: 1.31+nmu1 Architecture: all Maintainer: Debian QA Group <[email protected]> Installed-Size: 65 Suggests: sgml-base-doc Section: text Priority: optional Multi-Arch: foreign Description: SGML infrastructure and SGML catalog file support This package creates the SGML infrastructure directories and provides SGML catalog file support in compliance with the current Debian SGML Policy draft: . * infrastructure directories: - /etc/sgml - /usr/share/sgml/{declaration,dtd,entities,misc,stylesheet} - /usr/share/local/sgml/{declaration,dtd,entities,misc,stylesheet} . * update-catalog(8): tool for maintaining the root SGML catalog file and the package SGML catalog files in the '/etc/sgml' directory. user@host:~$ dpkg-deb -I /tmp/sgml-base.cloudpanel.deb | sed -n '1,120p' new Debian package, version 2.0. size 12026 bytes: control archive=2292 bytes. 763 bytes, 21 lines control 1054 bytes, 15 lines md5sums 3236 bytes, 115 lines * postinst #!/bin/sh 1157 bytes, 36 lines * postrm #!/bin/sh 669 bytes, 21 lines * preinst #!/bin/sh 1180 bytes, 43 lines * prerm #!/bin/sh 96 bytes, 4 lines triggers Package: sgml-base Version: 1.31+nmu1 Architecture: all Maintainer: Debian QA Group <[email protected]> Installed-Size: 65 Suggests: sgml-base-doc Section: text Priority: optional Multi-Arch: foreign Description: SGML infrastructure and SGML catalog file support This package creates the SGML infrastructure directories and provides SGML catalog file support in compliance with the current Debian SGML Policy draft: . * infrastructure directories: - /etc/sgml - /usr/share/sgml/{declaration,dtd,entities,misc,stylesheet} - /usr/share/local/sgml/{declaration,dtd,entities,misc,stylesheet} . * update-catalog(8): tool for maintaining the root SGML catalog file and the package SGML catalog files in the '/etc/sgml' directory. user@host:~$ On Sat, Dec 13, 2025, 12:03 David Kalnischkies <[email protected]> wrote: > Am Thu, Dec 11, 2025 at 11:44:31PM -0300, schrieb Olegário A. Filho: > > 2) apt policy output for the affected package > > > > # apt policy sgml-base > > sgml-base: > > Installed: 1.31+nmu1 > > Candidate: 1.31+nmu1 > > Version table: > > *** 1.31+nmu1 500 > > 500 mirror+file:/etc/apt/mirrors/debian.list trixie/main > amd64 > > Packages > > 100 /var/lib/dpkg/status > > 1.31+nmu1 1000 > > 1000 https://d17k9fuiwb52nc.cloudfront.net trixie/main amd64 > > Packages > > > > Note: the same version (1.31+nmu1) is available from both Debian’s mirror > > and CloudPanel’s “trixie main” repository. > > That isn't the same version. It has the same version number, yes, but > libapt has detected a subtil difference in those packages. Their hashes > might be different if the package doesn't build reproducibly or the > dependencies (versions) differ. Are you sure the packages are "copied" > and not also (re)build there? Its "easiest" to look at the stanzas in > the Packages files and compare those for EXACT match. libapt does slight > massaging, but even a spurious 0:-epoch can throw it off (not all fields > are compared, but without looking I suspect a dependency with a non- > canonical version number that is differently formatted by different > tools. libapt does not canonicalize version numbers – too expensive). > > > Given the versions are different and apt detects the installed one as > the one from Debian (also hinting at a small difference caused by > different repository generators) the behaviour you encounter is actually > the one you have configured to happen and is correct. > > If the versions are detected as the same, they are grouped together > under the same version number, like the Debian version and the installed > version are grouped together. The other one would be the third line in > this group – if they were detected as the same. > > > Best regards > > David Kalnischkies >
