Recently I bumped into weird issue. I noticed that all new binary packages for
linux-image-amd64 are either from linux-signed-amd64 or linux-latest source packages based on the OS release. The issue is that security tracker doesn't display any security vulnerability for those two, see
linux-signed-amd64,
linux-latest. It seems like all security issues are tracked for source package
linux only.
1) JSON endpoint to detect new CVE vulnerabilities/updates.
2) If it detects new update it resolves source package to binary one. However CVEs/updates are tracked only for linux source package. Linux source package isn't referenced to new binary packages for linux kernel. For that reason I cannot link these ...