Is there any non-manual way to check if an OpenWrt device needs to be upgraded, due to some security issue? For example, can the installed packages be scanned against some list of packages with known vulnerabilities? I'm hoping to only upgrade when security issues are found and not every time a new OpenWrt release comes out.
There is no built-in auto-update or auto-notify system for OpenWrt. However, in just about every release of OpenWrt, there are vulnerabilities that have been patched, so the best way to keep secure is to keep up to date.
The Release and Security Announcements section will keep you up to date -- and you can actually subscribe to be notified when there is a new announcement.
There is also the attended sysupgrade system that will generally make upgrades easier for most users, especially when there are user-installed packages that would otherwise need to be manually reinstalled.
Thanks for your input! That has been my approach, thus far. However, it would be good to have a semi-automated way to determine when/if I need to upgrade, rather than just jumping on every new release immediately. That would help to lower the maintenance burden, I think.
The CVE/package data seems to exist, in various places, but I couldn't find any way to audit a given OpenWrt install. I guess that part doesn't exist. If I were to make such a tool, what would be the best place to get a list of known security issues in a format that can be parsed? Assuming such a thing exists, of course.