An update shows same version number as the installed verion

After importing a clean Whonix-Xfce-17.2.8.5.Intel_AMD64.ova into VirtualBox, I ran sudo apt update and then apt list --upgradable and I can see that vm-config-dist is listed as upgradable even though the version numbers are the same for the installed and upgradable versions:

vm-config-dist/unknown 3:10.5-1 all [upgradable from: 3:10.5-1]

I checked the wiki page Operating System Software and Updates which says in the header summary that it should cover version numbers, but there is no information about this on the page except about frozen Debian packages and version numbers.

Is this a security issue? How can I see which repository is recommending me this particular update?

Is this in whonix gateway or whonix workstation?

I do not know the answer to the question. However, for me, I do not get this message in either gateway or workstation

user@host:~$ sudo apt update
[sudo] password for user:                                                             
Hit:1 tor+https://deb.kicksecure.com bookworm InRelease                                         
Get:2 tor+https://fasttrack.debian.net/debian bookworm-fasttrack InRelease [12.9 kB]            
Hit:3 tor+https://deb.debian.org/debian bookworm InRelease                                      
Hit:4 tor+https://deb.debian.org/debian bookworm-updates InRelease               
Hit:5 tor+https://deb.debian.org/debian-security bookworm-security InRelease     
Hit:6 tor+https://deb.whonix.org bookworm InRelease
Hit:7 tor+https://deb.debian.org/debian bookworm-backports InRelease
Fetched 12.9 kB in 3s (4011 B/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
All packages are up to date.

Is this in whonix gateway or whonix workstation?

Whonix Gateway

Your post shows you have no updates available, are you using a fresh/clean import of Whonix-Xfce-17.2.8.5.Intel_AMD64.ova? My Whonix Gateway showed 8 packages to be upgraded, as well as some more on Whonix Workstation.

My Whonix Gateway terminal output:

[gateway user ~]% sudo apt update
Hit:1 tor+https://deb.kicksecure.com bookworm InRelease
Hit:2 tor+https://fasttrack.debian.net/debian bookworm-fasttrack InRelease
Hit:3 tor+https://deb.whonix.org bookworm InRelease
Hit:4 tor+https://deb.debian.org/debian bookworm InRelease
Hit:5 tor+https://deb.debian.org/debian bookworm-updates InRelease
Hit:6 tor+https://deb.debian.org/debian-security bookworm-security InRelease
Hit:7 tor+https://deb.debian.org/debian bookworm-backports InRelease
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
8 packages can be upgraded. Run 'apt list --upgradable' to see them.
[gateway user ~]% apt list --upgradable
Listing... Done
gstreamer1.0-plugins-base/stable-security 1.22.0-3+deb12u3 amd64 [upgradable from: 1.22.0-3+deb12u2]
helper-scripts/unknown 3:24.6-1 all [upgradable from: 3:24.5-1]
libgstreamer-gl1.0-0/stable-security 1.22.0-3+deb12u3 amd64 [upgradable from: 1.22.0-3+deb12u2]
libgstreamer-plugins-base1.0-0/stable-security 1.22.0-3+deb12u3 amd64 [upgradable from: 1.22.0-3+deb12u2]
libgstreamer1.0-0/stable-security 1.22.0-2+deb12u1 amd64 [upgradable from: 1.22.0-2]
libjavascriptcoregtk-4.1-0/stable-security 2.46.5-1~deb12u1 amd64 [upgradable from: 2.46.4-1~deb12u1]
libwebkit2gtk-4.1-0/stable-security 2.46.5-1~deb12u1 amd64 [upgradable from: 2.46.4-1~deb12u1]
vm-config-dist/unknown 3:10.5-1 all [upgradable from: 3:10.5-1]
[gateway user ~]%

How come your terminal output show user@host:~$?

Mine shows [gateway user ~]% for the Gateway
and [workstation user ~]% for the Workstation.

Users cannot perform system audits. [1] [2]

Out of scope as per Support Request Policy.

[1]

[2]

I only mentioned that an update showed the same version as the installed version, and that this is not mentioned in the wiki, and I also know that malicious updates can be a security issue, so I posted about it here. I was not performing a system audit. Is there a better place to post this than in the support forum?

I should have said I was able to reproduce this issue.

There’s no need to be concerned about this kind of stuff.

Malware doesn’t operate in that way. Elaborated here:
Valid Compromise Indicators versus Invalid Compromise Indicators

Malicious updates are a risk. This is documented in detail here:

However, if there is ever a malicious update, it’s highly unlikely that APT will point it out.

Welcome to computer insecurity. Elaborated here:

So, there are many unpopular issues that I am not sure are worth being concerned about without deeper interest and taking action (becoming a developer, which is mostly unrealistic).

These issues are unspecific to Kicksecure and are general computer security issues affecting all software.

There most likely isn’t.

Developer information:

• It’s most likely an issue with dpkg-gencontrol and its Installed-Size calculation algorithm.
• Redistributed VM images are built in a different VM than the remote APT repository deb.whonix.org.
• Redistributed VM images during the build process use ~/derivative-binary/aptrepo_local, a locally built package repository.
• The remote APT repository ~/derivative-binary/aptrepo_remote is built in a different VM and then uploaded.
• Therefore, small differences in the packages or repository metadata are introduced due to the lack of reproducible builds and rebuilders.
• debdiff vm-config-dist_10.5-1_all.deb kicksecure/pool/main/v/vm-config-dist/vm-config-dist_10.5-1_all.deb

File lists identical (after any substitutions)

Control files: lines which differ (wdiff format)
------------------------------------------------
Installed-Size: [-133-] {+135+}

There’s a lot of stuff to do. Enough to probably keep thousands of people busy. However, explaining the technical details behind strange bugs to non-developers to satisfy curiosity isn’t a good use of developers’ time. Hence, my previous post was an attempt to shortcut the discussion to preserve developer time.