Try using aptitude. It may give you some other options, some of which may allow you to get rid of pulseaudio and pulseaudio-utils.

Phil

Here's my result:

$ date && apt policy thunderbird
Sun Jun 16 12:56:56 EDT 2019
thunderbird:
  Installed: 1:60.7.0-1~deb9u1
  Candidate: 1:60.7.0-1~deb9u1
  Version table:
     2:52.9.1-2~mx17+2 50
         50 http://mxrepo.com/mx/repo stretch/main i386 Packages
 *** 1:60.7.0-1~deb9u1 500
        500 http://deb.devuan.org/merged ascii-security/main i386 Packages
        100 /var/lib/dpkg/status
     1:60.6.1-1~deb9u1 500
        500 http://deb.devuan.org/merged ascii/main i386 Packages

Here's another example:

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4447-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
May 15, 2019                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : intel-microcode
CVE ID         : CVE-2018-12126 CVE-2018-12127 CVE-2018-12130
                 CVE-2019-11091

This update ships updated CPU microcode for most types of Intel CPUs. It
provides mitigations for the MSBDS, MFBDS, MLPDS and MDSUM hardware
vulnerabilities.

To fully resolve these vulnerabilities it is also necessary to update
the Linux kernel packages as released in DSA 4444.

For the stable distribution (stretch), these problems have been fixed in
version 3.20190514.1~deb9u1.

We recommend that you upgrade your intel-microcode packages.

For the detailed security status of intel-microcode please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/intel-microcode

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

More than 60 hours later and the update has not shown up yet:

$ apt policy intel-microcode
intel-microcode:
  Installed: 3.20180807a.2~deb9u1
  Candidate: 3.20180807a.2~deb9u1
  Version table:
 *** 3.20180807a.2~deb9u1 500
        500 http://deb.devuan.org/merged ascii/non-free i386 Packages
        100 /var/lib/dpkg/status
     3.20180807a.1~deb9u1 500
        500 http://deb.devuan.org/merged ascii-security/non-free i386 Packages

Phil

It turned out that a pin priority of 400 is too high. Even 100 is too high. I lowered it to 50 and now it works; 99 probably would have also worked, but I didn't bother testing it since the problem was already solved.

EDIT:

I thought I had this working, but further testing (via routine usage of the system) proved me wrong. I believe I have it working now, though, using this configuration:

Package: adobe-flashplugin
Pin: origin "mxrepo.com"
Pin-Priority: 100

Package: *
Pin: origin "mxrepo.com"
Pin-Priority: 50

Phil

The reason I set ASCII as the default release was because I am using an MX Linux repo for their adobe-flashplugin package.

Contents of /etc/apt/sources.list.d/mx-17.list:

# MX Community Main and Test Repos

deb http://mxrepo.com/mx/repo/ stretch non-free #main

#deb http://la.mxrepo.com/mx/testrepo/ stretch test

However, with the MX-17 repo enabled, APT tries to pull in other packages:

$ aptitude upgrade -s
The following packages will be upgraded: 
  intel-microcode unrar 
2 packages upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 1,557 kB of archives. After unpacking 9,216 B will be used.

Note: Using 'Simulate' mode.
Do you want to continue? [Y/n/?]

If I lower the priority of the MX-17 repo to 400, will that solve this problem? If so, how do I do that?

Thanks for the reply. Here's that info:

$ apt policy libssl1.0.2
libssl1.0.2:
  Installed: 1.0.2q-1~deb9u1
  Candidate: 1.0.2q-1~deb9u1
  Version table:
     1.0.2r-1~deb9u1 500
        500 http://deb.devuan.org/merged ascii-security/main i386 Packages
 *** 1.0.2q-1~deb9u1 990
        990 http://deb.devuan.org/merged ascii/main i386 Packages
        100 /var/lib/dpkg/status

That's an interesting (but puzzling) result.

I created a new Firefox profile to see if that would help, but it did not. I also have Devuan ASCII (64-bit) in a VM, and I tried the same test with that system. No problem there.

The Devuan ASCII system with the problem, the one that I am using right now, started out as Debian Squeeze, so it's an old system that (likely) has a considerable amount of cruft. Since I am planning to reinstall the system some time next year, I now consider this problem as solved. Thank you all for your help.

Phil

P.S. I unchecked "Allow pages to choose their own fonts, instead of your selections above", and the problem is now gone.

If anyone wants to test this, visit this web page:
Tamiflu Prices and Tamiflu Coupons - GoodRx

Click on one of the green buttons that read "GET FREE COUPON". After the page with the coupon loads, print the page to a PDF file.

Phil

Have you looked at Window Maker (wmaker)?

Why don't you connect a DVD drive via USB? You won't need to boot from it since you'd only be pulling packages from the DVD(s). And, yes, it can be done because that's what I used to do for an old laptop that wouldn't reliably boot from a DVD, even though it had a DVD-ROM drive. With this solution, installing the additional packages from the DVD(s) would need to be done post-installation.

Here's the command you would need to make this work:

# apt-cdrom -d <path-to-the-USB-DVD-drive>

After installation and set-up is complete, you would need to edit sources.list to remove the reference(s) to the DVD(s).

Phil

Thank you for the suggestion. Yes, I did, and the problem remains.

Phil

I thought I should post a follow-up to my previous message to explain my situation a little better. Back in 2017 I created a customized live CD based on Debian Jessie, but without systemd. While testing my live CD, I discovered that the "Restart" and "Shut Down" buttons in Xfce were not working properly. Since I built my live CD with "Recommends" (recommended packages) disabled, I figured that I must be missing some semi-important package(s). After a little research, I guessed that installing policykit-1 might fix the problem, and I was right.

To reiterate, this solution worked for me:

# aptitude update
# aptitude install policykit-1

That's it!

That systemd-free Debian Jessie was installed in a VM, and later on it was dist-upgraded to Devuan ASCII. The upgrade went smoothly, and afterward LightDM continued to work normally. I don't know what the best solution to this problem is, but I thought I should chime in with my experience in case the information is helpful to someone.

Phil