In summary, your posting seems to contain two different points: 1. the format of the pin origin being unsufficiently documented and 2. apt downloading an other file than the one listed with the highest priority.
Concerning the second: In all your examples, the files on the cdrom and the http mirror were identical (which apt decided using a hash over some header fields in the respective package files). After one of them got selected due to its high priority, apt doesn't care any longer which of them to install, it just uses the first one (which is also the one that is listed first in sources.list). Regards, Daniel
