The pc-kernel snap seems to be a bit older than the deb distribution:
24/stable: 6.8.0-40.40
24.04 (deb): 6.8.0-44.44
Also don’t see a beta/candidate/edge branch for the 6.11 RCs, not sure if that’s intended and should only use debs for testing 24.10
For the record, here’s the link to the kernel release schedule:
https://kernel.ubuntu.com/
And all the gory details about all kernel packages in flight for all open/active cycles:
https://kernel.ubuntu.com/reports/kernel-stable-board/
In general, the snaps gate the debs, meaning the debs get only released to -updates after the snaps have been promoted to stable. This should happen automatically but we had some issues and had to hold back snaps (but didn’t want to block the release of debs) so in this particular case the snap had to be promoted manually. Which happened yesterday.
We are not yet building 6.11 kernel snaps, the launchpad builders are not yet ready for that and there is no urgent need.
Is this the case again? Can see that .deb kernels are on 6.8.0-47-generic whereas the snap pc-kernel has been 6.8.0-44-generic for some time.
6.8.0-47-generic was a security spin. We don’t produce snaps for those. The next one will be -48.
So if you use the kernel snap, you don’t get security updates as fast as the deb package?
Yes. Snaps go through extensive certification testing and the security cycle test window is too short for that. And there are other resource constraints at the moment that dictate this.
The installer should really mention this as a note for TPM FDE, I know that it’s an experimental option but most people would not assume enabling TPM encryption would use an out of date kernel package (at times), and leave them vulnerable.
Is there any difference in terms of zero days? Or does the update schedule for the snap stay the same regardless for the certification testing?