This was put on hold as unclear. Maybe I put in too much background explanation. Mea culpa. So:
THIS IS THE QUESTION, REWORDED YET ANOTHER WAY:
Can apt-check, i.e.,
/usr/lib/update-notifier/apt-check
be made to treat potential kernel upgrades, the same way it does non-kernel upgrades, detecting them and distinguishing between those that incorporate security fixes, and those that don't, so that those that do will be reflected in the second field of apt-check's output, without having the meta-package linux-generic installed?
And if apt-check can't do this, is there some other program that can?
user535733 seems to have understood and answered it explicitly in a comment:
". . . If you uninstall the metapackage, there is NO other automated method to check for kernel upgrades…unless you write it yourself."
If nobody disagrees, and user535733 doesn't say I've misunderstood him, and puts that in an answer, I'll give him the Brownie points.
user535733 and waltinator both suggest that I could write a program to do this myself. Waltinator may be up to rewriting the source code of apt-check but I'm not. I might could script a work-around, but I'd need to find some way to distinguish between kernel upgrades that have new security fixes and those that don't.
Thanks, gentlesapients.
= = = added material ends – original post follows = = =
apt-check (from update-notifier package), which is normally used to write the MOTD, but can be called directly, returns output of the form:
x;y
where x is the number of possible upgrades
and y is the number of possible SECURITY upgrades
When linux-generic is not installed, a possible kernel upgrade does NOT count toward the first number. If a kernel upgrade is needed to correct security shortcomings in older kernels, does it count toward the second number? In other words, can apt-check be depended on to tell you that you NEED to upgrade the kernel in the absence of the metapackage that depends on the latest kernel?
If this isn't clear, here is a concrete example:
Every time I upgrade to 4.4.0-77 it borks my Xenial systems, of which I have 2, both on the same machine. The only solution I've found that actually works is to restore an fsarchiver backup of the borked system, mount all my systems, run lilo (like update-grub for a different bootloader) to find the new/old kernel, reboot into the restored system and uninstall linux-generic so it won't automatically install 4.4.0-77. Right now I check what kernel linux-generic WOULD install by running:
apt-get install --simulate linux-generic.
Maybe when we get to 78 or 80 or even 4.4.1 I'll try linux-generic again.
So will apt-check tell me when one of the new kernel upgrades isn't just for shiny new gee-whiz features but is actually correcting a security flaw? Or does it depend on linux-generic to do this? And if the latter, is there some alternative to apt-check for this purpose?
Best Answer
Your question is a bit convoluted but I think it boils down to the single question in the title, so that's what I'm going to address.
How Apt selects package to upgrade
No, the Advanced Package Tool, the way it is intended, cannot install new packages (e. g.
linux-image-*-generic) automatically unless another package depends on it. It only upgrades already installed packages automatically and replaces their previous version in the process.This is one reason why we use meta-packages like
linux-image-generic: to make Apt aware of new packages to install without the need to replace older versions. We do this for kernel packages because it would be difficult to replace the currently running kernel and because people want to revert to an earlier, known-to-work kernel version more easily in case anything goes wrong.Furthermore, Apt doesn't know or care about the semantics of version numbers. All it cares about is the order of version number strings and a list of available versions to select the most suitable one for installation based on a configurable rating system. The package (repository) managers are responsible for the incorporation and publication of upstream changes incl. security fixes in replacement packages with a suitable version string.
What that means for
apt-checkNow that we covered Apt in general, I can address how that affects your question regarding
update-notifier, the package that providesapt-check: like Apt it cannot be aware of new packages to install if those don't depend on already installed or scheduled to be installed packages. If you don't havelinux-image-genericinstalled then Apt won't see new kernel packages and neither willupdate-notifierwhen it queries Apt for upgradeable packages.What if I really want this feature?
Of course, as with most things in Linux, you're welcome to write a tool that searches for patterns among all available packages to install them (semi-)automatically. I at least don't know any on-board tools that can do this though this task seems generic enough that I wouldn't be surprised to see a script for this that some admin hacked together.