Linux kernel update process: "Major security fixes still not fixed in the version we're considering" is not realistic
Statu quo
The doc currently reads:
(in which case, depending on when we are in our own release process, it may be worth delaying the analysis a bit, or exceptionally installing the kernel from unstable)
To do so, use the Debian security tracker for Linux.
Problem statement
This part of our process does not look very realistic, at least not in the way it's documented: on https://security-tracker.debian.org/tracker/source-package/linux there are dozens of CVEs that are fixed in trixie/sid and not in Bookworm. I doubt we check each of them every time we upgrade the kernel.
Questions
- How do you handle this? Is there already a way to handle this without spending 1+ hours on it?
- Do you remember a time when this step has been useful?