Look at the meta for the `Debian:11` project (https://build.opensuse.org/project/show/Debian:11) I notice that this uses the following 3 sources: <repository name="standard"> <download arch="x86_64" url="http://ftp.de.debian.org/debian/bullseye/main" repotype="deb"> <repository name="update"> <download arch="x86_64" url="http://ftp.de.debian.org/debian/bullseye-updates/main" repotype="deb"> <repository name="backports"> <download arch="x86_64" url="http://ftp.de.debian.org/debian/bullseye-backports/main" repotype="deb"> I wonder if should also include the upstream debian `security` source? This will contain security fixes that are neither in update or standard (until the next point release of standard) `deb http://deb.debian.org/debian-security/ bullseye-security main` See: https://wiki.debian.org/SourcesList for full details of debian standard/update/security sources.