What is the recommended method of installing an arbitrary version of a package using apt?
The Problem:
I need a way to install specific, pinned versions of some packages on my Debian system. snapshot.debian.org appears to offer a means to do this, however even after adding a snapshot to my apt-sources I am unable to apt-get install some specific versions of the packages within that snapshot archive.
The Question:
What is the official or "correct" way of installing a specific package version from a Debian snapshot archive?
Background & What I've Tried:
Let's use Debian8 Jessie and the 3.16.x kernel binary one minor version behind the current one as our examples. As of this writing, Jessie's released kernel is 3.16.43-2+deb8u5. Say I want to install 3.16.43-2+deb8u4.
I begin by searching the debian snapshot archives for the version I want (http://snapshot.debian.org/binary/linux-image-3.16.0-4-amd64/) and click on the exact version of the kernel that I'm looking for, which gets me to http://snapshot.debian.org/package/linux/3.16.43-2%2Bdeb8u4/#linux-image-3.16.0-4-amd64_3.16.43-2:2b:deb8u4
From there, I can see that the package was "Seen in debian-security on 2017-09-20 22:12:21" and "Seen in debian on 2017-10-08 16:31:52". I decide to use the former and settle on debian-security snapshot 20170920T221221Z.
Following the instructions on the front page of snapshot.debian.org, I add the following to my /etc/apt/sources.list:
deb http://snapshot.debian.org/archive/debian-security/20170920T221221Z/ jessie/updates main
deb src http://snapshot.debian.org/archive/debian-security/20170920T221221Z/ jessie/updates main
I then run apt-get -o Acquire::Check-Valid-Until=false update and see that the update (appears to) successfully complete.
I'd think this would allow me to now install the desired version of the kernel but apt only knows about two installation candidates, 3.16.43-2+deb8u2 and 3.16.43-2+deb8u5. No sign of +deb8u4:
# apt-cache madison linux-image-3.16.0-4-amd64
linux-image-3.16.0-4-amd64 | 3.16.43-2+deb8u5 | http://security.debian.org/ jessie/updates/main amd64 Packages
linux-image-3.16.0-4-amd64 | 3.16.43-2+deb8u5 | http://snapshot.debian.org/archive/debian-security/20170920T221221Z/ jessie/updates/main amd64 Packages
linux-image-3.16.0-4-amd64 | 3.16.43-2+deb8u2 | http://cloudfront.debian.net/debian/ jessie/main amd64 Packages
linux-image-3.16.0-4-amd64 | 3.16.7-ckt25-2 | http://cloudfront.debian.net/debian/ jessie-updates/main amd64 Packages
linux | 3.16.39-1 | http://cloudfront.debian.net/debian/ jessie-backports/main Sources
# apt-cache policy linux-image-3.16.0-4-amd64
linux-image-3.16.0-4-amd64:
Installed: 3.16.43-2+deb8u5
Candidate: 3.16.43-2+deb8u5
Version table:
3.16.43-2+deb8u5 0
500 http://security.debian.org/ jessie/updates/main amd64 Packages
500 http://snapshot.debian.org/archive/debian-security/20170920T221221Z/ jessie/updates/main amd64 Packages
*** 3.16.43-2+deb8u2 0
500 http://cloudfront.debian.net/debian/ jessie/main amd64 Packages
100 /var/lib/dpkg/status
3.16.7-ckt25-2 0
500 http://cloudfront.debian.net/debian/ jessie-updates/main amd64 Packages
Additionally, if I attempt to specify and install the version I want, it returns "Not Found":
# apt-get install linux-image-3.16.0-4-amd64=3.16.43-2+deb8u4
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Version '3.16.43-2+deb8u4' for 'linux-image-3.16.0-4-amd64' was not found
I've managed to work around this by downloading the .deb binary and dpkg -i installing it but I'd prefer to use apt instead of curl'ing .debs down and installing them. Can anyone explain either what I need to do to be able to apt-get install a specific package or at least explain why this doesn't work the way that I expect it to?
This is not exact science, but here's a probable explanation of why it didn't work for this specific case (it usually works, when you're not following a target changing too fast).
A given repository usually references only one version of a package in the Packages file, for your example, this one. That's not a technical obligation, for example deb https://dl.winehq.org/wine-builds/debian/ jessie main includes multiple versions of the same package in its Packages file, all retrievable by apt-get, using = like you did, but Debian (TM) doesn't keep references to multiple versions in the same Packages file.
If you look at the actual directory where the package you're looking for exists, you can see that there are both versions available:
linux-image-3.16.0-4-amd64_3.16.43-2+deb8u4_amd64.deb
linux-image-3.16.0-4-amd64_3.16.43-2+deb8u5_amd64.deb
When deb8u5 appeared, the previous reference to deb8u4 disappeared. The deb8u4 .deb might still have be referenced by an other repository or simply not have undergone some "garbage collection". Clicking on "prev change" in the snapshot navigation leads only to deb8u3 without deb8u4 nor deb8u5. That means the change between deb8u4 and deb8u5 happened too fast for the deb8u4's Packages file to be available for download or for snapshot.debian.org to save this intermediate Packages file before the deb8u5's replaced it. This reference (and the corresponding checksums, and the signed Release file) in debian-security is lost.
Just trying again with debian (instead of debian-security):
linux-image-3.16.0-4-amd64_3.16.43-2+deb8u4_amd64.deb
with a corresponding Packages.xz file. This one has the entry for deb8u2 only... and will keep only this one. The newer versions are supposed to come from debian-security until 8.10 is released, so even if they appear in the pool, that's just because snapshot.debian.org makes all appear at the same place.
Well sorry, for this specific package version, I don't see a way to download the deb8u4. Even if it can be downloaded from the links and dpkg -i can install it, that's not possible to validate what was downloaded, so it should be avoided.
NOTE: your method is correct. You can usually complete it by pinning your specific snapshot for some specific packages, allowing apt-get to choose them automatically (without the need of = ) and avoiding them to be upgraded later. That's explained there: https://wiki.debian.org/AptPreferences . Holding them works too (dpkg --set-selections or apt-mark hold) to avoid upgrade.