The Security Audit Now Verifies Its Own Patch Path
Why This Matters
The 5.60.0 live badge showed the public security grade telling an uncomfortable truth on its first day: a real pending OpenSSL update that the host’s automatic security updates had silently skipped. That was the badge working as intended. But a one-time fix is not a control. This release makes the daily security audit verify the patch path itself, so the specific blind spot that let the update slip, an automatic updater quietly matching the wrong target after the operating system moved to its next release stage, cannot recur unseen. A check that has stopped matching the right thing is invisible unless something asserts that it still matches.
What Changed
Patch path self-verification
-
The audit confirms automatic security updates target the running OS release The daily audit now checks that the host’s automatic security updates are bound to the codename of the installed release rather than to a moving alias that can slide out from under it as the release ages. A mismatch raises a graded warning instead of passing in silence.
-
Currency is checked, not just the supported-version line Packages that arrive from sources outside the operating system’s security suite, such as the application runtime, are now checked for pending updates. A runtime can no longer age quietly behind an otherwise clean grade because it sits outside the suite the automatic updater watches.
-
The security source itself is verified The audit confirms the host draws security updates from a single upstream source carrying the full component set, including firmware updates, rather than a lagging or partial mirror.
Grade weighting
- The operating-system patch check now carries the same weight as the dependency audit A pending OS security update now affects the published security grade as much as a pending application dependency vulnerability. The OpenSSL episode showed the operating-system layer is at least as load-bearing as the dependency layer, and the weighting now reflects that.
Operational Impact
- A stalled automatic-update path now surfaces as a graded warning on the next daily audit, rather than staying invisible behind a passing grade.
- Runtime and firmware update lag is observable on the schedule, not dependent on a manual upgrade being run by hand.
- The verification runs unattended on the daily audit. It does not depend on anyone remembering to check.
- No change to application behaviour, customer data, or the public API.
Files Changed
Application (API and portal): None.
Infrastructure (Security Test Harness):
- Operating-system patch check
- Verification that automatic security updates are bound to the installed release codename
- Currency sweep for packages outside the security suite
- Single-source and firmware-component checks on the security source
- Runtime patch check
- Pending-update detection beyond the supported-version line
- Audit orchestrator
- Operating-system patch check raised to match the dependency audit in the grade weighting
- Governance documentation
- Schedule, scoring, and run-mode records reconciled to current behaviour
A grade is only as honest as the checks behind it, and the audit now watches its own patch path the same way it watches everything else.