Debian – On Debian, how to audit installed packages against packages in a particular repository

I manage a number of Debian servers and usually track the Debian stable repository but occasionally install from the Debian testing repository or third party sources. For audit purposes, on each machine, for all packages currently installed, I would like to compare the installed package version against the package version in a particular repository, ie the Debian stable repository.

Using aptitude search patterns I can identify installed packages that are or are not available from the Debian stable repository:

aptitude search "?installed?origin(Debian)?archive(stable)"
aptitude search "?installed?not(?origin(Debian)?archive(stable))"

But for the packages that are available from the Debian stable repository I am not able determine whether the installed version matches the version in the repository.

I suppose it might be possible to use apt pinning to force a downgrade:

Package:      *
Pin:          release n=stable, o=Debian
Pin-Priority: 1001

And then use dry run mode to check which packages would be affected:

apt-get update
apt-get --dry-run upgrade

But mitigating the risks of using apt pinning over 1000 would require a separate configuration for apt, which seems more complicated than it needs to be.

A possibility going forward would be to set up a private repository, and only install from the Debian stable repository or the private repository. Then, if a package was available from the private repository, it could be assumed (for audit purposes) to not have been installed from the Debian stable repository. As long as packages are never installed manually, this could work reasonably well. But setting up a private repository seems a bit overkill for what could be one simple command.

Is there a better way to audit package versions? Or even better, to audit package signatures?