Hi Daniel, On Mon, 2026-05-18 at 10:29 +0200, Daniel Baumann wrote: > I went ahead in first adding adding > /usr/bin/linux-vulnerability-mitigation which has a 'auto' command: > > * this will cleanup no longer needed mitigations based on the > currently running kernel > * and enable all (also newly) needed mitigations based on the > currently running kernel > > given that 'l-v-m auto' is by default run on package installation > and on updates, the system thus always has exaktly the matching > and current mitigations it needs.
This is very useful. The only potential issue I can think of is the following situation: 1) the user installs the l-v-m package; 2) the user installs a new linux image which fixes some of the vulnerabilities. After the new image is installed (and the system is rebooted), the mitigations for these fixed vulnerabilities would still be in place until a new update of the l-v-m package is installed, or the user runs `l-v-m auto` manually. However, I think the benefits of automatically adding new mitigations far outweigh the drawbacks of having more modules blacklisted than strictly needed. Plus, the user can manually run `l-v-m auto` to remove the unneeded mitigations. > I wonder if I should still add some logic to only show newly added > mitigations to the 'manual' method, or, if it's better to add a > 'manual-new-only' method.. or if it's not required to do at all > because > the 'auto' method already fulfills your use case. The 'auto' method fulfils my use-case. Unfortunately, I am currently running the 6.12.86+deb13-amd64 image from trixy-security (because of issues with the nvidia-kernel-dkms package), and your 'status' options only seem to check the upstream image version, without taking backported fixes into account. Do you think it would be possible to extend the checks to include the debian version, and to also take backported fixes into account? I believe it would be helpful as a way to get mitigations into stable releases faster after this package makes it into a stable release. Kind regards, Peter
