I am experiencing the same kind of issue with 0.6.7 on buster building a
buster image. Thanks to this report I was able to determine why
libgnutls-openssl27 was breaking for me.
Then I also discovered that this problem also silently affects some
packages without actually causing any breakage that would get noticed.
Simple-cdd just simply leaves some packages with old versions. E.g. I
found out that simple-cdd is leaving my image with outdated e2fslibs and
libcomerr2 packages because the security repo has old versions of those.
If I explicitely add libpam-systemd to my list of packages, everything
works as it should...
When running with --debug, you see 232-25+deb9u8 being downloaded from
stretch in both cases. However, when libpam-systemd is listed in
test.packages, 232-25+deb9u9 is also later downloaded from
stretch/updates, and used to correctly satisfy the dependency.
At the moment, that's unfortunately the recommended workaround for
these
situations.
I came up with a different workaround that I'd recommend over what was
recommended above. If you list the affected packages in test.downloads
(instead of test.packages) then it still works around this bug but
without marking the resulting package installation as explicitly
selected. At least, for me it seems to.
-mn
