Hi Paul,
again, thanks for your bug report.
I went ahead in first adding adding
/usr/bin/linux-vulnerability-mitigation which has a 'auto' command:
* this will cleanup no longer needed mitigations based on the
currently running kernel
* and enable all (also newly) needed mitigations based on the
currently running kernel
given that 'l-v-m auto' is by default run on package installation
and on updates, the system thus always has exaktly the matching
and current mitigations it needs.
this way, for the normal user, all they need to do is install
the package and then forget about it again.
now, when choosing 'manual' instead of 'auto' in the debconf selection,
one can still manually choose individual mitigations to be enabled/disabled.
I wonder if I should still add some logic to only show newly added
mitigations to the 'manual' method, or, if it's better to add a
'manual-new-only' method.. or if it's not required to do at all because
the 'auto' method already fulfills your use case.
Let me know what you think.
Regards,
Daniel
