Kernel packages missing from security-status

Hello Nathan, thanks for reaching out.

security-status will show information about the packages you have installed in your system. Given that updates to linux-image change not only the package version, but also the package name, it is considered to be a different package.

Maybe we need to create some kind of special handling for the kernel packages?
I will bring it to the team, and we will follow up.

(on a side note, we recommend using 'pro security-status' - 'pro' and 'ua' are the same, but 'pro' is preferred after the rebrand)

We are not yet sure how much effort that is, bumping the prio and giving it a ping as Renan has done the most in this area.

@Renan is this huge or actually not too complex and doable as a small fix towards R30?
Either way we want to act, do the fix or spawn a candidate for next cycle - so let me know what you think.

Not huge, but not a small fix either.
Most probably doable for R30

Hi,
On checking that in more detail this is actually doing fine.

Because this report/discussion so far is actually about two things.
On one hand it is "why haven't I been told about the upgrade to linux-image-5.4.0-153-generic" and the answer is, because it is not upgrading.

Usually you have these (or similar) installed:
ii linux-generic-hwe-18.04 5.4.0.150.167~18.04.121
ii linux-headers-generic-hwe-18.04 5.4.0.150.167~18.04.121
ii linux-image-generic-hwe-18.04 5.4.0.150.167~18.04.121

ii linux-hwe-5.4-headers-5.4.0-150 5.4.0-150.167~18.04.1
ii linux-headers-5.4.0-150-generic 5.4.0-150.167~18.04.1
ii linux-image-5.4.0-150-generic 5.4.0-150.167~18.04.1
ii linux-modules-5.4.0-150-generic 5.4.0-150.167~18.04.1
ii linux-modules-extra-5.4.0-150-generic 5.4.0-150.167~18.04.1

And of those only the top three (the meta packages) get upgrades.
And that is properly listed as:

    {
      "download_size": 8104,
      "origin": "esm.ubuntu.com",
      "package": "linux-generic-hwe-18.04",
      "service_name": "esm-infra",
      "status": "pending_enable",
      "version": "5.4.0.159.176~18.04.127"
    },
    {
      "download_size": 8044,
      "origin": "esm.ubuntu.com",
      "package": "linux-headers-generic-hwe-18.04",
      "service_name": "esm-infra",
      "status": "pending_enable",
      "version": "5.4.0.159.176~18.04.127"
    },
    {
      "download_size": 8168,
      "origin": "esm.ubuntu.com",
      "package": "linux-image-generic-hwe-18.04",
      "service_name": "esm-infra",
      "status": "pending_enable",
      "version": "5.4.0.159.176~18.04.127"
    },

The others are not upgraded, but staying installed.
What actually happens is that the new versions of the upgraded packages pull in new dependencies and that does "install new packages" but not upgrade some.

--- --- ---

And on the other hand it is about "please also tell me about anything that would be brought in due to dependencies".

That is a new feature (and we'll keep the bug open for that) but it is of a lower priority, more effort feature.

Furthermore we should not try to replicate apt logic, so we'd need to dry-run apt to get the original resolver information. That slows things down and therefor should even in a future with the feature added, only be done if requested via an opt-in flag.

This looks it should be a future item, yes, to be tackled after the current ongoing status redesign.