Patchman flags several packages as having pending security updates, but the host is in fact fully up to date according to apt.
The version Patchman reports as "new" is the bare upstream version without the Debian/Ubuntu packaging revision suffix.
Versions
- Patchman server: 4.0.18 (python3-patchman 4.0.18-1, from openbytes.ie Debian trixie repo)
- Patchman client: 4.0.18 (patchman-client 4.0.18-1, same repo)
- Server OS: Debian 13 (trixie)
- Reporting protocol: 2 (API key)
- Affected clients: Ubuntu 24.04.4 LTS (all 13 of our Ubuntu hosts exhibit this; a Debian 13 client does not)
Example
On an Ubuntu 24.04 host, Patchman's API reports 4 pending security updates:
Package Patchman "new" version Installed Apt candidate
----------------------- ---------------------- ---------------------- ----------------------
libpolkit-agent-1-0 124 124-2ubuntu1.24.04.2 124-2ubuntu1.24.04.2
libpolkit-gobject-1-0 124 124-2ubuntu1.24.04.2 124-2ubuntu1.24.04.2
polkitd 124 124-2ubuntu1.24.04.2 124-2ubuntu1.24.04.2
libxml-parser-perl 2.47 2.47-1build3 2.47-1build3
apt-cache policy on the host shows Installed == Candidate for all four — nothing to upgrade.
Expected behaviour
A package where the installed version matches (or exceeds) the advisory version — including the Debian/Ubuntu revision suffix — should not be reported as having a pending update.
Actual behaviour
Patchman treats 124-2ubuntu1.24.04.2 as older than 124, and flags it as requiring an update to 124. Appears to be either an asymmetric version comparison or the revision suffix being stripped during advisory
ingest. Ubuntu packages whose version differs from Debian upstream only by the -Nubuntu… / -Nbuild… suffix seem consistently affected.
Reproduce
- Run patchman-client -v on an Ubuntu 24.04 host.
- Query the API: GET /api/host/?hostname= and resolve the updates → newpackage → name chain.
- Observe "new" package versions that are stripped of their Ubuntu revision suffix, while the installed packages on the host retain the full -Nubuntu1.24.04.2 string.
Not fixed by
- Forcing a fresh report (sudo patchman-client -v) — report is accepted (status 202, report id issued) but the pending-update list remains unchanged.
Patchman flags several packages as having pending security updates, but the host is in fact fully up to date according to apt.
The version Patchman reports as "new" is the bare upstream version without the Debian/Ubuntu packaging revision suffix.
Versions
Example
On an Ubuntu 24.04 host, Patchman's API reports 4 pending security updates:
apt-cache policy on the host shows Installed == Candidate for all four — nothing to upgrade.
Expected behaviour
A package where the installed version matches (or exceeds) the advisory version — including the Debian/Ubuntu revision suffix — should not be reported as having a pending update.
Actual behaviour
Patchman treats 124-2ubuntu1.24.04.2 as older than 124, and flags it as requiring an update to 124. Appears to be either an asymmetric version comparison or the revision suffix being stripped during advisory
ingest. Ubuntu packages whose version differs from Debian upstream only by the -Nubuntu… / -Nbuild… suffix seem consistently affected.
Reproduce
Not fixed by