So this might sound like a rather strange question and obviously goes against some of the concepts what apt does provide but I would ask you to entertain my problem:
What I'm looking for is a tool or work-flow to simulate what pip-tools does but for apt: https://github.com/jazzband/pip-tools
For those who are not familiar with it: you basically define your abstract requirements in one file, e.g.:
package_A
package_B > X.Y
And then you resolve and fix those dependencies and their child dependencies (in another file)
package_A == X.Y
package_B == X.Y
dependency_from_A == X.Y
dependency_from_B == X.Y
Afterwards you can even upgrade single packages and their dependencies with minimal changes to your overall requirements.
So I'm looking for something that can provide something like this but for Debian packages installed with apt. I have some base packages and then I would like to have a fixed state of their version and dependency version. Ideally with apt pinning so that you can't update a package that has been defined like this.
Why would you want something like this? I work in a very regulated environment where I need to provide documentation for which dependencies my application has been tested for and provide these environment reliably in deployment. Essentially I need to be able to say (or rather write down): My application version X.Y depends on other software package_A in version X.Y and dependency_from_A in version X.Y, etc. And then on installation on a server I need to install exactly these versions. And ideally I'd like these packages to be pinned so they can't be upgraded accidentally and the deployment becoming non-compliant.
I hope this makes sense.
aptpinning on the clients. See also Why do previous versions of Debian packages vanish in the package repositories? (highly relevant for version-controlled system configuration) – Stephen Kitt Oct 25 '22 at 16:41