Pleas ignore previous post - this is the correct version (hopefully)

[Andy Whitcroft]

On Mon, May 08, 2017 at 02:26:15PM -0400, Plmalternate Plmalternate wrote:
> gmail messed with my formatting. Trying again:
> 
> TLDR Summary:
> 
> Is there any scriptable way to determine if a potential kernel upgrade
> has new security enhancements/bug-fixes as opposed to just adding new
> features that are not security enhancements?

The kernel will only be in the -security pocket if it contains security
updates.  That said we have only had one in recent memory which was not
a security update and that I believe was -77.

> So I can't have linux-generic or 4.4.0-77 will break my system. I'm
> doing fine with 64 on one system and 71 on the other. I haven't yet
> experimented with other pre-77 kernels (or post-77 for that matter -
> they are in the repo. Any reason I shouldn't try them?). If possible,
> I'd like to extend my upgrade policy for non-kernel packages - upgrade
> everything if ANY potential upgrade is a security enhancement;
> otherwise don't upgrade anything - to include kernels.

I will note at this point that due to an issue with phasing some people
had issues with -77 due to update-manager only installing the
linux-image-4.4.0-77* package and not installing the associated
linux-image-extra-4.4.0-77* packge.  This broke networking for a number
of people.  It is worth checking if this is the reason your -77 is bad.
If it is not that please file a bug and describe the symptoms.

> Right now, I'm checking what kernel is recommended with "apt-get
> install --simulate linux-generic" and using grep and cut to filter out
> the kernel version number. Once it gets past 77 I can try installing
> linux-generic again. But it is a real PITA to fix things if it breaks
> my system the same way 77 does, so I'd prefer to avoid that unless the
> new kernel is correcting security flaws or has features I just can't
> live without.

As I say 99% of kernels contain security updates. Those that do go to
the -security pocket.

-apw