I can follow main three repo's for regular update && upgrade like old days.Packages from -backport have
ver. no. as 'bpo' & can be used with some salt. Have no idea about 'proposed'. I can assume that pkg's flow
from experimental to ceres to ascii after 10/20 days without major bug. Hope you will put some light on this.

"~deb9u1" is upgrade one of stretch pushed through stretch security (decleared on their site).That is why it is
upgradable. Other suits have not received updates, but only stable. Securiry patch will be provided only
on next upgrade of chromium for buster & sid (ceres).
You know that if chromium will be devuanised then 'devuan1' will be added next & ready for automatic update.
Any correction will be helpfull for devuan users.

On the other hand, jessie-security and jessie-updates and jessie-proposed-updates all have packages. I don't know the logic of what packages go where. I do hope to get some clarification on this, and that will probably happen around the time that amprolla3 is deployed.

gnath, it's not clear what you're saying about which version is higher and patched. The version in buster, sid and ceres does have the patch. I think the "~deb9u1" just means that the package was backported to debian9 (stretch).

@fsmithred chromium-60.0.3112.78-1 was in buster,sid,ceres & @ogis1975 chromium-60.0.3112.78-1~deb9u1 from
stretch security which is higher version & has security patch. Now ascii-proposed-updates has that security
update (ascii-security?). To get latest version we have to activate all suites for regular update && upgrade.

deb http://auto.mirror.devuan.org/merged ascii-proposed-updates main contrib non-free

And now I see this - chromium-60 is in ascii-proposed-updates

# apt-cache policy chromium
chromium:
  Installed: 57.0.2987.98-1~deb8u1
  Candidate: 57.0.2987.98-1~deb8u1
  Version table:
     60.0.3112.78-1~deb9u1 0
        100 http://auto.mirror.devuan.org/merged/ ascii-proposed-updates/main amd64 Packages
     59.0.3071.86-1 0
        100 http://us.mirror.devuan.org/merged/ ascii/main amd64 Packages
 *** 57.0.2987.98-1~deb8u1 0
        500 http://us.mirror.devuan.org/merged/ jessie/main amd64 Packages
        500 http://auto.mirror.devuan.org/merged/ jessie-security/main amd64 Packages
        100 /var/lib/dpkg/status

To see if you pulled in packages from backports or testing, you can run

aptitude search ~i -F"%p# %v# %t#"

Clean bill of health: piping this through 'grep backports' or 'grep testing' returns nothing. 
.
Many thanks for this most helpful answer.

Edit:
Although piping it through 'grep bpo9' turned up:

geoip-database                         20170713-1~bpo9+1                       
manpages                               4.12-1~bpo9+1                           
manpages-dev                           4.12-1~bpo9+1

which I have now uninstalled and reinstalled from jessie-backports:

piping it through 'grep geoip-database' gives
geoip-database                         20170512-1~bpo8+1      jessie-backports

and through 'grep manpages' gives
manpages                               3.74-1                 jessie-backports 
manpages-dev                           3.74-1                 jessie-backports

and through 'bpo9' gives nothing.

So now I have to figure how stretch-backports got into the sources.list and check my other machines.

But i'd like to repeat my thanks for such a helpful answer.

To see if you pulled in packages from backports or testing, you can run

aptitude search ~i -F"%p# %v# %t#"

but I'm not sure it will be entirely accurate. I'm running jessie, and it shows most of my packages are from "stable" with a few from "jessie-backports". If there are packages from ascii or stretch, they should show up as "testing".

For packages that have not been devuanized, you won't be able to tell whether you pulled it from debian or devuan unless you can find a version mismatch, Where debian has a different version than devuan, and you have installed the version from debian. Right now, the only example I can think of is chromium-60 in stretch security vs. chromium-59 from ascii. If you were running ascii and had chromium-60 running and you didn't get it from the ceres repo, you would have gotten it from debian.

For reference, here are some other useful commands: https://dev1galaxy.org/viewtopic.php?id=511

What packages did you get from debian that you should not have gotten?

I wish I could answer that with any degree of confidence.  After the unauthorized packages incident, I uninstalled as much as I could remember flashing passed me in the terminal. Due to the incomplete logs, I could only guess.  Is there a way to compare installed packages with those held in devuan repositories on a system-wide basis, not an individual package basis?

I have tried three times to offer a better answer to your question, but I keep getting timed out.  I exported the apt-get purge and reinstall sequence of packages, but it runs to over 1000 words which I feel is too long to post, although I am happy to email or otherwise provide it if that would help.  However, a better solution would be to see if I have any 'debian-native, non-devuan' packages installed. and post the results of that.  So any pointers on what commands would achieve that would be most helpful.
Many thanks

f

Should I be doing - graphics?, playing with different 'themes' and desktop environments?
IMO 'themes' are pretty much a ....  - I know  - Linux is about 'freedom of choice"!!
( 5 or 6 basic color combination is all that is needed )  - - it seems that about 25% of trouble tickets
are related to font size in so-and-so DE, or a panel/menu doesn't fade/overlay/align!!
'
Well wait a minute - Gary  :: Linux has a work side and a fun size   -- OKAY - back on track
It is a question - I want to try and help Devuan debug ascii and ceres .
TIA

In my opinion, as light as it may be, this jessie was too early to be called 1.0, it should have retained its beta tag till ascii gets finished/audited.  Ascii seems barely started, and stretch on the other side seems a bit problematic as compared to previous stable editions.  If I am not mistaken, stretch went into freeze for the longest time in debian history.  Unlucky timing for devuan?  Jessie 8 had more than 500 bug tickets open before stretch became stable.
One systemd mess chasing another.

In my opinion, the mistake wasn't calling jessie stable, it was calling it jessie! Of course, jessie is Devuan stable, but jessie is Debian oldstable. Debian stable is stretch, but the Devuan branch that tracks stretch is not even alpha - call it testing. So people say 'jessie', or 'stable' or 'testing' or this or that, and it gets very confusing very fast. Whose stable? Which jessie? Yes, often you can tell from context, but sometimes not so much.

And yes, Debian is dealing with one systemd mess chasing another... I did some testing with Stretch this morning, and I feel like I need to take a shower :-)  I don't think it's any stretch (ha ha!) to say that systemd disgusts me. I'm back to my usual dual-boot between ascii and (Devuan!) jessie...

I'm sure Dan meant sources.list and sources.list.d. I don't see any debian sources in what you posted. What packages did you get from debian that you should not have gotten?

RIP good old wheezy

I checked with someone who knows more than both of us put together (CenturionDan):

if that happens then there is a debian stanza in either /etc/apt/sources or /etc/apt/sources.d/

Can't see it:

$ ls -al /etc/apt
total 84
drwxr-xr-x   6 root root  4096 Sep  1 09:03 .
drwxr-xr-x 126 root root 12288 Sep  2 05:14 ..
drwxr-xr-x   2 root root  4096 Sep  1 09:03 apt.conf.d
-rw-r--r--   1 root root    99 Sep  1 09:03 listchanges.conf
drwxr-xr-x   2 root root  4096 Sep  1 09:03 preferences.d
-rw-r--r--   1 root root  1240 Sep  1 09:03 sources.list
-rw-r--r--   1 root root     0 Sep  1 09:03 sources.list~
drwxr-xr-x   2 root root  4096 Sep  1 09:03 sources.list.d
-rw-r--r--   1 root root 40508 Sep  1 09:03 trusted.gpg
-rw-r--r--   1 root root  3530 Sep  1 09:03 trusted.gpg~
drwxr-xr-x   2 root root  4096 Sep  1 09:03 trusted.gpg.d

$ ls -al /etc/apt/sources.list.d
total 12
drwxr-xr-x 2 root root 4096 Sep  1 09:03 .
drwxr-xr-x 6 root root 4096 Sep  1 09:03 ..
-rw-r--r-- 1 root root  247 Sep  1 09:03 devuan.list

$ cat /etc/apt/sources.list.d/devuan.list
# autogenerated by devuan-baseconf
# decomment following lines to  enable the developers devuan repository
#deb http://packages.devuan.org/devuan jessie main contrib non-free
#deb-src http://packages.devuan.org/devuan jessie main contrib non-free

$ cat /etc/apt/sources.list
#
deb http://linux-libre.fsfla.org/pub/linux-libre/freesh freesh main

# deb cdrom:[Debian GNU/Linux 1.0 _Jessie_ - Official Beta2 amd64 DVD Binary-1 20161128-18:28]/ jessie contrib main non-free

#deb cdrom:[Debian GNU/Linux 1.0 _Jessie_ - Official Beta2 amd64 DVD Binary-1 20161128-18:28]/ jessie contrib main non-free

deb http://auto.mirror.devuan.org/merged/ jessie main
#deb-src http://gb.mirror.devuan.org/merged/ jessie main

# jessie-security, previously known as 'volatile'
deb http://packages.devuan.org/merged/ jessie-security main
#deb-src http://gb.mirror.devuan.org/merged/ jessie-security main

# jessie-updates, previously known as 'volatile'
deb http://auto.mirror.devuan.org/merged/ jessie-updates main
#deb-src http://gb.mirror.devuan.org/merged/ jessie-updates main

# jessie-backports, previously on backports.debian.org
#deb http://auto.mirror.devuan.org/merged/ jessie-backports main
#deb-src http://gb.mirror.devuan.org/merged/ jessie-backports main

#Devuan repositories
deb http://packages.devuan.org/merged jessie main
#deb-src http://packages.devuan.org/merged jessie main

Silly question for my own clarity: are CenturianDan's '/etc/apt/sources' and '/etc/apt/sources.d'  missing from my '/etc/apt/*' or are they shorthand for '/etc/apt/sources.list' and '/etc/apt/sources.list.d'? Where else should I be looking?  Sorry if i've missed the point.

I can offer half an answer to my own question (Q2, post#6):

If Amprolla is down or otherwise unavailable, apt-get appears to use the underlying debian repos in consequence.  This results in a whole bunch of unauthenticated packages (because I have the devuan keyring not the debian) including packages which are normally held back.  Although this constitutes using mixed repos, it appears like normal behaviour to apt-get, and so it simply gets logged as a striaghtforward upgrade.  This has happened three times now: it appears that this behaviour is reproducible.  I don't know enough to call it a bug, but it seems serious enough to warrant flagging up.  Perhaps someone who knows more than me could confirm and escalate if necessary.  For the rest of us noobs, just exercise caution if Amprolla is unavailable.

I checked with someone who knows more than both of us put together (CenturionDan):

-rw-r--r-- 1 root root 7.4K May 25 21:17 debian-archive-stretch-automatic.gpg
-rw-r--r-- 1 root root 7.4K May 25 21:17 debian-archive-stretch-security-automatic.gpg
-rw-r--r-- 1 root root 2.3K May 25 21:17 debian-archive-stretch-stable.gpg
-rw-r--r-- 1 root root 3.6K Nov 22  2016 devuan-keyring-2016-archive.gpg
-rw-r--r-- 1 root root 2.2K Nov 22  2016 devuan-keyring-2016-cdimage.gpg
-rw-r--r-- 1 root root 5.1K Nov 30  2014 debian-archive-jessie-automatic.gpg
-rw-r--r-- 1 root root 5.1K Nov 30  2014 debian-archive-jessie-security-automatic.gpg
-rw-r--r-- 1 root root 2.8K Nov 30  2014 debian-archive-jessie-stable.gpg
-rw-r--r-- 1 root root 3.7K Nov 30  2014 debian-archive-wheezy-automatic.gpg
-rw-r--r-- 1 root root 2.8K Nov 30  2014 debian-archive-wheezy-stable.gpg

to

$ ls /etc/apt/trusted.gpg.d

-rw-r--r-- 1 root root 3.6K Nov 22  2016 devuan-keyring-2016-archive.gpg
-rw-r--r-- 1 root root 2.2K Nov 22  2016 devuan-keyring-2016-cdimage.gpg

Should something like this produce errors, or only devuan specific packages come from devuan and the rest from debian?