Upgrading Debian Linux to a specific patch level

I have a few dozens of Debian boxes which I want to keep up to date in a deterministic fashion, and also follow the Engineering => Pre-Prod => Prod routine with a deterministic staging process.

Ideal world for me would be to have some sort of 'patch level ID' at hand, like 2022-01-10.e28de15cc1 and be able to say apt upgrade --to 2022-01-10.e28de15cc1, but I've not found anything remotely similar.

I probably can hash the output of apt list --installed after upgrading the first box and simulate the concept, but am really wondering why no one has done it, is my mental model of keeping penguins tidy completely off here?

Solution 1:

As far as I know, an apt repository does not have a global ID referring to a certain version numbers of all packages. You could create a list of package versions, distribute it to all servers, and create a script to fetch those specific versions. But such a script is "error-prone", and you get in trouble if that specific version has been deleted from the repository.

The easiest way to achieve this is probably if you would setup your own repository (or three, if you'd like to keep engineering / pre-prod / prod at different levels), and whenever you'd like to update, you'd have to update the repo server first, and afterwards the connected servers...