Automatically upgrade the Linux kernel from Debian stable security
We upgrade all non-kernel packages automatically from Debian stable security updates. And we also upgrade the kernel automatically when its ABI (and thus the linux-image-$ABI-amd64) package name remains the same, and only its version changes.
But when the Linux kernel ABI changes in a stable security update, we don't get it automatically, and we spend time:
- noticing there's an upgrade (or missing it like #20589 (closed) was spotted during the release process "thanks" to #16375 triggering a FTBFS)
- considering the pros&cons of the upgrade (https://tails.net/contribute/Linux_kernel/) which for stable security updates is a bit overkill
- pushing a MR, checking CI results, getting it merged
I think this is not worth the effort as long as we're installing the Linux kernel from stable. All this added work and complexity comes from a time when we were tracking testing/sid for improved hardware support. I hope we'll be able to do that again at some point, but in the meantime, IMO we should stop doing what's mostly busywork here.
In passing, as a bonus, if we do what I'm proposing here, then:
- The likelihood of Prevent version mismatches among binary package... (#16375) happening will be much lower (if not 0).
- We can probably reject Document shortcut to base a Linux kernel upgrad... (#20123 - closed), because that doc can remain as-is, focused on the case when we don't track stable.
- Linux kernel update process: "Major security fi... (#20379) is not a problem anymore (we stop doing this super costly analysis as long as we track stable; if we track testing/sid again, there will be much fewer CVEs to analyze)