Coming from Debian and Fedora, I saw that running a mainline kernel is unsafe as mainline does not get security patching from CVE fixes that are made available. You need an LTS kernel if you need a kernel that gets updated when vulnerability fixes are available.

In Clear Linux, is ‘kernel-native-current’ updated when fixes are available? Is native-current the same expectation as mainline? Do I need to run ‘kernel-lts’ if I want regular security patches?

we recommend using the normal base “kernel”. That gets security fixes (as upstream releases those roughly weekly - we follow usually within a day or so depending on how fast the release goes out)

Which one is “Base”? I see:
kernel-install Installs kernel, initrd, kernel config, system map, and creates a bootloader entry for the new kernel
kernel-native Installs [bootloader] [hardware-uefi] [linux-firmware], linux-firmware-extras, qemu-guest-additions, console-autostart, init-rdahead-extras, irqbalance,linux, mcelog

This is what have: uname -a Linux ThinkPadT530 6.4.11-1349.native #1 SMP Wed Aug 16 10:02:45 PDT 2023 x86_64 GNU/Linux

Just wondering if 6.4.11-1349.native is patched when CVE fixes are available?