Skip to content

linux_hardened: only provide latest LTS and latest stable version #432561

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 14 commits into
base: master
Choose a base branch
from
Open

linux_hardened: only provide latest LTS and latest stable version #432561

wants to merge 14 commits into from
+138 −185

Conversation

Ma27
Copy link
Member

@Ma27 Ma27 commented Aug 10, 2025

To actually obtain the metadata about what's an LTS, I rebased most of @Atemu's #361573.

We should really backport this part btw, otherwise automatic backports of kernel patch-releases will be broken for the rest of 25.05.

As proposed in #346018 (not closing the ticket, this affects other
variants as well).

The packaging for hardened is in a pretty sad state: it was lagging
several patch-releases behind and nobody seems to care. The update
script aged poorly: the automatic removal was flat-out broken, several
type annotations are plain wrong (list[int] != packaging.Version).

This patch is an attempt to reduce the scope for the maintainer team
drastically to provide some maintenance again by only packaging latest
LTS and latest stable.

Also, remove the top-level attributes for this. I still don't see any
compelling reason to give hardly used flavours that special treatment.

Things done

  • Built on platform:
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • Tested, as applicable:
  • Ran nixpkgs-review on this PR. See nixpkgs-review usage.
  • Tested basic functionality of all binary files, usually in ./result/bin/.
  • Nixpkgs Release Notes
    • Package update: when the change is major or breaking.
  • NixOS Release Notes
    • Module addition: when adding a new NixOS module.
    • Module update: when the change is significant.
  • Fits CONTRIBUTING.md, pkgs/README.md, maintainers/README.md and other READMEs.

Add a 👍 reaction to pull requests you find important.

@Atemu @Ma27
linux-kernels: add LTS flag
12022d3 
This serves to differentiate between a kernel that is an LTS release and one
that is merely a regular "stable" release.
@nixpkgs-ci nixpkgs-ci bot added 10.rebuild-linux: 101-500 This PR causes between 101 and 500 packages to rebuild on Linux. 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 11.by: package-maintainer This PR was created by a maintainer of all the package it changes. 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 6.topic: kernel The Linux kernel and removed 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 6.topic: kernel The Linux kernel labels Aug 10, 2025
wolfgangwalther
wolfgangwalther reviewed Aug 10, 2025
View reviewed changes
Atemu and others added 13 commits August 10, 2025 18:30
@Atemu @Ma27
linux_xanmod: set isLTS
0b6d24e 
(cherry picked from commit eb85811eb974acaf22cd0602730c034f0d699586)
@Atemu @Ma27
linux-rt: set isLTS
6f80cd2 
These are all LTS kernels

(cherry picked from commit 1170dcdc89b2c640c449d215e8ba42fdb1b0e63b)
@Atemu @Ma27
linux-rpi*: set isLTS
8998bf7 
These are based on 6.6.y

(cherry picked from commit d44a5499d71bd03603377ea1b7905ee6ac746be6)
@Ma27
linux/hardened/patches/5.4: remove
a3f59df
@Ma27
linux/hardened/patches/5.10: remove
118582c
@Ma27
linux/hardened/patches/5.15: remove
a8abf11
@Ma27
linux/hardened/patches/6.1: remove
6e9f211
@Ma27
linux/hardened/patches/6.6: remove
9afa9ed
@Ma27
linux/hardened/patches/6.13: remove
b39b109
@Ma27
linux/hardened/patches/6.14: remove
782094f
@Ma27
linux/hardened/patches/6.12: v6.12.34-hardened1 -> v6.12.41-hardened1
11a3aba
@Ma27
linux/hardened/patches/6.15: init at v6.15.9-hardened1
c0f3ea6
@Ma27
linux_hardened: only provide latest LTS and lattest stable version
10af2ee 
As proposed in NixOS#346018 (not closing the ticket, this affects other
variants as well).

The packaging for hardened is in a pretty sad state: it was lagging
several patch-releases behind and nobody seems to care. The update
script aged poorly: the automatic removal was flat-out broken, several
type annotations are plain wrong (`list[int] != packaging.Version`).

This patch is an attempt to reduce the scope for the maintainer team
drastically to provide _some_ maintenance again by only packaging latest
LTS and latest stable.

Also, remove the top-level attributes for this. I still don't see any
compelling reason to give hardly used flavours that special treatment.
@Ma27 Ma27 force-pushed the less-hardened-kernels branch from 90418ff to 10af2ee Compare August 10, 2025 16:31
@nixpkgs-ci nixpkgs-ci bot added 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 6.topic: kernel The Linux kernel labels Aug 10, 2025
@fabianhjr
Copy link
Member

For the 6.15 init its missing some manual intervention (needs its attribute added)

I'm not opposed (I only use the latest after all and latest LTS + latest stable seems reasonable)

@fabianhjr
Copy link
Member

NVM, noticed that adding the 6.15 attributes was done in this commit: 10af2ee

@nixpkgs-ci nixpkgs-ci bot added the 12.approvals: 1 This PR was reviewed and approved by one person. label Aug 10, 2025
emilazy
emilazy reviewed Aug 12, 2025
View reviewed changes
Copy link
Member

@emilazy emilazy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry about the state of the update script. I believe it type‐checked when I first wrote it, but it’s been many years.

As I said before, this seems like a fine change to me in principle. I haven’t looked at the update script changes in depth. I did mention in previous discussions that “the latest LTS/stable release” and “the latest LTS/stable release that there are hardened patches for” are not necessarily the same, although I believe that back in the day the lag time was only on the order of days. I am not sure if that is still the case, or if the approach here handles it (I guess it seems like it would mostly be manual, which seems fine?).

Apologies for the maintenance burden caused by these downstream kernels. I think they’re higher‐value than some other variants we carry, but updates being broken is scary…

If you anticipate further fuss being caused by them, then I am personally okay if you just wanted to drop them entirely, since I realize that I have done almost nothing to keep them in a good state over the years.

pkgs/top-level/aliases.nix
@@ -1197,6 +1197,22 @@ mapAliases {
'';
linux_latest_hardened = linuxPackages_latest_hardened;

# Added 2025-08-10
linuxPackages_hardened = linuxKernel.packages.linux_hardened;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this will break nixos/modules/profiles/hardened.nix when !enableAliases; that should probably be fixed.

Another alternative would be to just remove the profile, which is probably overdue at this point…

pkgs/os-specific/linux/kernel/linux-rt-5.10.nix
@@ -40,6 +40,7 @@ buildLinux (
in
[ rt-patch ] ++ kernelPatches;

isLTS = true;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: whitespace (feel free to ignore)

@fabianhjr
Copy link
Member

I would oppose the complete removal and would prefer to keep at least latest LTS + latest stable.

@nixpkgs-ci nixpkgs-ci bot added the 2.status: merge conflict This PR has merge conflicts with the target branch label Aug 17, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wolfgangwalther wolfgangwalther wolfgangwalther left review comments

@emilazy emilazy emilazy left review comments

@fabianhjr fabianhjr fabianhjr approved these changes

@K900 K900 Awaiting requested review from K900

@alyssais alyssais Awaiting requested review from alyssais

@TredwellGit TredwellGit Awaiting requested review from TredwellGit

@NeQuissimus NeQuissimus Awaiting requested review from NeQuissimus

@thoughtpolice thoughtpolice Awaiting requested review from thoughtpolice

Assignees
No one assigned
Labels
2.status: merge conflict This PR has merge conflicts with the target branch 6.topic: kernel The Linux kernel 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 101-500 This PR causes between 101 and 500 packages to rebuild on Linux. 11.by: package-maintainer This PR was created by a maintainer of all the package it changes. 12.approvals: 1 This PR was reviewed and approved by one person.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@Ma27 @fabianhjr @wolfgangwalther @emilazy @Atemu