Many people seem to be afraid of mixing stable with testing, but frankly, testing is fairly stable in its own right, and with proper preferences and solution checking, you can avoid the "stability drift" that puts your core packages on the unstable path.

"Testing is fairly stable??", you ask. Yes. In order for a package to migrate from unstable to testing, it has to have zero open bugs for 10 consecutive days. Chances are that, especially for the more popular packages, somebody is going to submit a bug report for an unstable version if something is wrong.

Even if you don't want to mix the environments, it's still nice to have the option there in case you run into something that requires a newer version than what is in stable.

Here's what I recommend for setting this up:

First, create the following files in /etc/apt/preferences.d:

stable.pref:

# 500 <= P < 990: causes a version to be installed unless there is a
# version available belonging to the target release or the installed
# version is more recent

Package: *
Pin: release a=stable
Pin-Priority: 900

testing.pref:

# 100 <= P < 500: causes a version to be installed unless there is a
# version available belonging to some other distribution or the installed
# version is more recent

Package: *
Pin: release a=testing
Pin-Priority: 400

unstable.pref:

# 0 < P < 100: causes a version to be installed only if there is no
# installed version of the package

Package: *
Pin: release a=unstable
Pin-Priority: 50

experimental.pref:

# 0 < P < 100: causes a version to be installed only if there is no
# installed version of the package

Package: *
Pin: release a=experimental
Pin-Priority: 1

(Don't be afraid of the unstable/experimental stuff here. The priorities are low enough that it's never going to automatically install any of that stuff. Even the testing branch will behave, as it's only going to install the packages you want to be in testing.)

Now, creating a matching set for /etc/apt/sources.list.d:

stable.list: Copy from your original /etc/apt/sources.list. Rename the old file to something like sources.list.orig.

testing.list: Same as stable.list, except with testing.

unstable.list: Same as stable.list, except with unstable, and remove the security lists.

experimental.list: Same as unstable.list, except with experimental.

You can also add a oldstable in sources.lists.d and preferences.d (use a priority of 1), though this moniker will tend to expire and disappear before the next stable cycle. In cases like that, you can use http://archive.debian.org/debian/ and "hardcode" the Debian version (etch, lenny, etc.).

To install the testing version of a package, simply use aptitude install lib-foobar-package/testing, or just jump into aptitude's GUI and select the version inside of the package details (hit enter on the package you're looking at).

If you get complaints of package conflicts, look at the solutions first. In most cases, the first one is going to be "don't install this version". Learn to use the per-package accept/reject resolver choices. For example, if you're installing foobar-package/testing, and the first solution is "don't install foobar-package/testing", then mark that choice as rejected, and the other solutions will never veer to that path again. In cases like these, you'll probably have to install a few other testing packages.

If it's getting too hairy (like it's trying to upgrade libc or the kernel or some other huge core system), then you can either reject those upgrade paths or just back out of the initial upgrade altogether. Remember that it's only going to upgrade stuff to testing/unstable if you allow it to.

EDIT: Fixed some priority pins, and updated the list.

In /etc/apt/apt.conf.d add the following file

99defaultrelease:

APT::Default-Release "stable";

in /etc/apt/sources.list.d - add urls for testing / unstable sources

stable.list:

deb     http://ftp.de.debian.org/debian/    stable main contrib non-free
deb-src http://ftp.de.debian.org/debian/    stable main contrib non-free

deb     http://security.debian.org/         stable/updates  main contrib non-free

testing.list:

deb     http://ftp.de.debian.org/debian/    testing main contrib non-free
deb-src http://ftp.de.debian.org/debian/    testing main contrib non-free

deb     http://security.debian.org/         testing/updates  main contrib non-free

run

apt-get update

and then install what you need with

apt-get -t testing install something

Be very very careful if you install stuff that has plenty of dependencies. Preferably don't do this on production.

You can as well try your luck at backports or similar repository.

apt_preferences

Define the default level that the system should 'safe-upgrade' to in the /etc/apt/preferences file:
man apt_preferences

There's a lot you can do with apt_preferences but for the sake of simplicity...

I needed to install a single package (autoMysqlBackup) that was only available in Testing. The solution was to add the following to /etc/apt/preferences:

Explanation: Uninstall or do not install any Debian-originated
Explanation: package versions other than those in the stable distro
Package: *
Pin: release a=stable
Pin-Priority: 900

Package: *
Pin: release o=Debian
Pin-Priority: -10

With multiple repositories added to /etc/apt/sources.list aptitude will now only upgrade to your specified release even though the later release repos are listed (in this case 'stable').

deb http://mirror.aarnet.edu.au/debian/ lenny main
deb-src http://mirror.aarnet.edu.au/debian/ lenny main
deb http://mirror.aarnet.edu.au/debian/ squeeze main
deb-src http://mirror.aarnet.edu.au/debian/ squeeze main

So to install that package, all you have to do is:

$ aptitude install -t testing packageName 

For what it's worth, the general advice I've always seen is "Don't mix stable with anything." Most of the mixed systems tutorials are for mixing testing and unstable.

The reasoning seems to be that if you mix stable with testing, very basic packages (like libc6) will require updates (in order to install software from testing), and once these basic packages move to testing, the whole system can drift that way.

Here are two alternatives:

1. Use Backports.
2. Install a source line from testing, and try to build the later version you want from source.

The debian documentation is extensive in the subject and I strongly advise to dig in as it will truely unveil the beauty of the debian system.

Have a look at How to keep a mixed system, it will explain all you need tio know.

Another way, that could prevent installing too many dependences from Testing or Sid, is this: you tell apt-get to get the source of the package from Testing or Sid and create a package for your system using Debian tools (no need to manually tinker with sources).

Quoting from here:
https://wiki.debian.org/DebianUnstable#How_do_I_backport_a_sid_package_to_testing_or_stable.3F

How do I backport a sid package to testing or stable?

Install the Debian source (and the development tools, especially debhelper, devscripts, and build-essential), and then build the package.

Step by step:

add a deb-src line for sid to your sources.list

apt-get update

apt-get build-dep PACKAGE_NAME

apt-get -b source PACKAGE_NAME 

The resulting debs should be in the current directory and can be installed with dpkg -i the.deb.

I have been doing it for an extended period of time to be confident in saying it is safe enough and can be made convenient. With the below setup stable version will installed by default, however Aptitude will also allow you to choose backported or unstable version if so desired:

There are four things that need to be edited, the default pinning release needs to be set, the sources need backports and unstable added, lowering the pinning priority of backports/unstable packages, and the aptitude display settings needs to be modified to display pinning.

• Create a '/etc/apt/apt.conf.d/10defaultrelease' and make it's contents as follows:

Apt::default-Release "stable";

• Edit your '/etc/apt/sources.list' to add unstable and backports sources so it looks something like this:

# deb cdrom:[Debian GNU/Linux 6.0.0 _Squeeze_ - Official Multi-architecture amd64/i386 NETINST #1 20110205-14:45]/ squeeze main

deb http://ftp.us.debian.org/debian/ squeeze main
deb-src http://ftp.us.debian.org/debian/ squeeze main

deb http://security.debian.org/ squeeze/updates main
deb-src http://security.debian.org/ squeeze/updates main

# squeeze-update, previously know as 'volatile'
deb http://ftp.us.debian.org/debian/ squeeze-updates main
deb-src http://ftp.us.debian.org/debian/ squeeze-updates main

# squeeze backports
# http://backports.debian.org/Instructions/
deb http://backports.debian.org/debian-backports squeeze-backports main

# unstable
# http://wiki.debian.org/AptPreferences
deb http://ftp.us.debian.org/debian/ unstable main
deb-src http://ftp.us.debian.org/debian/ unstable main

# non free ex. sun java
#deb http://ftp.us.debian.org/debian/ squeeze non-free
#deb-src http://ftp.us.debian.org/debian/ squeeze non-free

• Edit etc/apt/preferences pinning file - if the file doesn't exist do create it.

# Package pinning priorities
# See http://wiki.debian.org/AptPreferences and http://manpages.debian.net/cgi-bin/man.cgi?query=apt_preferences
#
# In nut shell highest PIN gets installed
#
# Pining default are as follow which are in addition to our settings:
#   990 - for version that are not installed but DO belong to our `APT::Default-Relase "stable"` setting.
#   500 - for versions that are not installed and do not belong to the target release
#   100 - for packages that already installed, this also means other versions of same package
#     1 - for experimental packages; packages with "NotAutomatic: yes"
#
# Our Pinnings
#   400 - backports that can safely be installed without the need to update other packages
#    50 - unstable packages, install forced in the details screen, can result in conflicts

Package: *
Pin: release n=squeeze-backports
Pin-Priority: 400

Package: *
Pin: release a=unstable

• Create '/etc/apt/apt.conf.d/100guiconf' and to setup Aptitude so it display pinning information.

Aptitude::UI::Package-Display-Format "%c%a%M %p %Z %v %V %i";

If your selection of packages is more involved or the installation will be repeated on multiple machines, you might consider setting up a private repository that mirrors a subset of the official repositories. This requires a bit of work to configure the repository but the reward is easy to maintain with a bare minimum of configuration on each client and repeatable results when doing dozens of installations. I find this helpful even when only one or two packages are being installed, and use this method for automating and maintaining cloud installs. A single server on a cheap VPS can handle dozens of private repositories.

To configure your private repository server:

# Install aptly.
apt-get install aptly

# Create local mirror (choose a source mirror near you).
aptly mirror create -filter="mirror-contains-no-packages" stretch-roundcube http://httpredir.debian.org/debian stretch main

# Configure filters for local mirror.
aptly mirror edit -filter="Name (% roundcube*)" stretch-roundcube

# Update local mirror.
aptly mirror update stretch-roundcube

# Drop previously published repositories and mirrors, if running these commands in a script.
aptly publish drop stretch

# Drop snapshot, if running these commands in a script.
aptly snapshot drop stretch-roundcube

# Create new snapshot.
aptly snapshot create stretch-roundcube from mirror stretch-roundcube

# Publish snapshot.
aptly publish snapshot -architectures=i386,amd64 -distribution=stretch -component=roundcube -label="Your Name" -origin="Your Name" stretch-roundcube

Then configure your web server of choice to serve the static repository files. Possibly protect the repository with a security certificate and basic authentication.

To automatically maintain your private repository and pull in updates from upstream, put the above in a script and run from a cron job.

To configure your client machine, on your client machine:

# Configure private repository without authentication.
echo 'deb http://private.repository.example.com/ stretch roundcube' > /etc/apt/sources.list.d/private.repository.example.com.list

# Configure private repository with authentication.
echo 'deb https://hostname:[email protected]/ stretch roundcube' > /etc/apt/sources.list.d/private.repository.example.com.list
apt-get install apt-transport-https

# Update.
apt-get update

# Install package.
apt-get install roundcube

To maintain your client machine and pull in all of your private repository updates, on your client machine:

# Update.
apt-get update

# Upgrade.
apt-get upgrade

Another option is to download instead the source package from testing. APT can auto-build the source package after downloading it. This way, your stable packages will not be affected by testing updates. The only trade-off is that it will take more time than just downloading and installing the binary package.

To configure APT to download source packages from testing, just add:

deb-src http://<your debian mirror here> testing main

If you just want to follow the current testing and not future testings, replace "testing" with the current codename (as of this writing it is "buster")

What I do to avoid mixing stable/testing/experimental, is to install a Debian Sid in a directory on my Debian stable system with debootstrap, then I can use the tools I want. In this example, I need a recent xmllint tool (XML processing).

For this, this is what I've done:

apt install debootstrap
mkdir /home/sid-chroot
debootstrap --arch amd64 sid /home/sid-chroot http://mirrors.ircam.fr/pub/debian/
chroot /home/sid-chroot
apt install libxml2-utils

Now, I can exit the chroot and use the lib, 'hacking' LD_LIBRARY_PATH for specific dynamic loading librarys.

In ~/.bashrc:

alias xmllint='LD_LIBRARY_PATH=/home/sid-chroot/usr /home/sid-chroot/usr/bin/xmllint'

Now, when I run xmllint, I have the 2.9.10 version of libxml2-utils. (2019 vs 2016 versions).

The pros:

• I can install any other one package easily
• no kitty killed, no risk to crash my desktop by mixing testing/experimental stuff
• I keep my Debian stable system up to date with the security updates
• I keep my system largely used by many people (unlike sid), this way, random software are still compatible enough

The cons:

• it takes 410MB on the system (I don't care)
• it needs aliasing in .bashrc