Debian Stretch wants to upgrade main packages after enabling backports

Question

Certbot requires me to activate stretch-backports for its installation. So after having

$ cat /etc/apt/sources.list.d/backports.list
deb http://ftp.debian.org/debian stretch-backports main

and doing a sudo apt update I get

$ apt list --upgradable
Listing... Done
libpam-systemd/stretch-backports 237-3~bpo9+1 amd64 [upgradable from: 232-25+deb9u3]
libsystemd0/stretch-backports 237-3~bpo9+1 amd64 [upgradable from: 232-25+deb9u3]
libudev1/stretch-backports 237-3~bpo9+1 amd64 [upgradable from: 232-25+deb9u3]
systemd/stretch-backports 237-3~bpo9+1 amd64 [upgradable from: 232-25+deb9u3]
systemd-sysv/stretch-backports 237-3~bpo9+1 amd64 [upgradable from: 232-25+deb9u3]
udev/stretch-backports 237-3~bpo9+1 amd64 [upgradable from: 232-25+deb9u3]

$ sudo apt upgrade
[...]
The following packages have been kept back:
  systemd-sysv
The following packages will be upgraded:
  libpam-systemd libsystemd0 libudev1 systemd udev
5 upgraded, 0 newly installed, 0 to remove and 1 not upgraded.
Need to get 4,795 kB of archives.
After this operation, 2,540 kB of additional disk space will be used.
Do you want to continue? [Y/n]

It really looks like it would continue updating the packages mentioned.

However, from this answer, I quote:

Packages from backports are never valid installation candidates for an upgrade from the main repositories, only for upgrade from a previous version of a backported package; so while apt list --upgradable lists it as an upgradable package, apt upgrade won’t consider it for upgrade. You can see this in the output of apt-cache policy

So checking

$ apt policy systemd
systemd:
  Installed: 232-25+deb9u3
  Candidate: 237-3~bpo9+1
  Version table:
     237-3~bpo9+1 100
        100 http://ftp.debian.org/debian stretch-backports/main amd64 Packages
 *** 232-25+deb9u3 100
        100 /var/lib/dpkg/status
     232-25+deb9u2 500
        500 http://ftp.debian.org/debian stretch/main amd64 Packages

it seems like the backports version is valid for upgrade.

How can I enable upgrading from backports only for those packages which were originally installed from backports (i.e. via apt -t stretch-backports)?

EDIT: My sources.list

$ cat /etc/apt/sources.list
deb http://ftp.debian.org/debian stretch main
deb-src http://ftp.debian.org/debian stretch main

deb http://security.debian.org/debian-security stretch/updates main contrib
deb-src http://security.debian.org/debian-security stretch/updates main contrib

Answer 1

You don’t need to enable anything to enforce the documented behaviour for backports, but you do need to ensure that the system knows where your installed packages come from. In your case, you have a version of systemd from stretch/updates, but your sources don’t reference that, so apt gives the installed version of systemd a score of 100 which is less than or equal to the backports score (see your apt policy output).

To fix this, make sure your /etc/apt/sources.list has entries for stretch-updates, something like

deb http://ftp.debian.org/debian stretch-updates main
deb-src http://ftp.debian.org/debian stretch-updates main

You should then see apt policy systemd give the following results:

systemd:
  Installed: 232-25+deb9u3
  Candidate: 232-25+deb9u3
  Version table:
     237-3~bpo9+1 100
        100 http://ftp.debian.org/debian stretch-backports/main amd64 Packages
 *** 232-25+deb9u3 500
        500 http://ftp.debian.org/debian stretch-updates/main amd64 Packages
        100 /usr/var/lib/dpkg/status
     232-25+deb9u2 500
        500 http://ftp.debian.org/debian stretch/main amd64 Packages