Pleas ignore previous post - this is the correct version (hopefully)

Mon May 8 18:26:15 UTC 2017

gmail messed with my formatting. Trying again:

TLDR Summary:

Is there any scriptable way to determine if a potential kernel upgrade
has new security enhancements/bug-fixes as opposed to just adding new
features that are not security enhancements?

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Expansion/clarification:

Apt-check will do this sort of classification for all potential
upgrades collectively (and, I presume, internally it must do so for
each potential upgrade individually), but it can't see a potential
kernel upgrade unless linux-generic is installed, and if linux-generic
is installed you get the kernel upgrade automatically, with any
"apt-get dist-upgrade" which I'm trying to avoid. Is there some
machine readable datum somewhere that says "This kernel [does|does
not]feature new security enhancements" or do I have to read the
release notes? If the latter, where are the release notes?

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Background or "Why do you ask?" (which doesn't really matter):

4.4.0-77 consistently breaks my Xenial systems of which I have 2,
tweaked a little differently, on the same machine. I do "apt-get
update" frequently and follow it with a direct invocation of apt-check
(from the update-notifier package). If the second field of the
apt-check output, which indicates the number of the potential upgrades
that are security enhancements, is not "0", I do "apt-get
dist-upgrade", otherwise, I don't bother.

So I can't have linux-generic or 4.4.0-77 will break my system. I'm
doing fine with 64 on one system and 71 on the other. I haven't yet
experimented with other pre-77 kernels (or post-77 for that matter -
they are in the repo. Any reason I shouldn't try them?). If possible,
I'd like to extend my upgrade policy for non-kernel packages - upgrade
everything if ANY potential upgrade is a security enhancement;
otherwise don't upgrade anything - to include kernels.

Right now, I'm checking what kernel is recommended with "apt-get
install --simulate linux-generic" and using grep and cut to filter out
the kernel version number. Once it gets past 77 I can try installing
linux-generic again. But it is a real PITA to fix things if it breaks
my system the same way 77 does, so I'd prefer to avoid that unless the
new kernel is correcting security flaws or has features I just can't
live without.