Unfortunately there is a pretty high risk for package name conflicts, if multiple package repositories are involved. There is no reliable way to make sure that some 3rd-party repo doesn't provide its own "improved" openssl packages, for example. Would it be possible to show the URL a package is coming from in the output of apt upgrade? Something like apt-get --print-uris upgrade but without the dry-run part? It has to be in the log file without a dry-run first. And the option should be set in apt.conf, to make sure existing code is not affected (unattended-upgrades, docker files, cron scripts, pbuilder, lxc templates, etc.) Of course I understand that the log files need to be watched to make this work. At the moment the log files don't even tell. This is worse. Thank you very much in advance Harri