Puppet lets you install packages on your system, like this:

package { 'foo': ensure => installed }

You can also ask it to make sure that the package is kept up-to-date:

package { 'foo': ensure => latest }

What does "latest" mean? How does this interact with a mixed repository sources.list on Debian?

It turns out that both ensure => installed and ensure => latest honour pinning. For example: if you have a stable system; sid in your sources.list and pinning set up; either of the above will install stable's version of foo.

I think ensure => latest is less useful than it might initially appear. If you install a package foo and use ensure => latest, but foo depends on packages bar and baz, it will only ensure that foo is up-to-date, not bar or baz. Similarly any other packages that you have not installed with puppet will not be kept up-to-date unless you name them explicitly. If you want to automatically take all updates from your distributor, you need to use another mechanism to do so.