linuxPackages: various changes #29440
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
I'd merge the hardened-config stuff without much hesitation. Note that initially it was only meant as a sandbox for testing potentially controversial features, so I'm kind of meh on adding more hardened variants apart from The features stuff looks okay to me but it's outside my purview. |
|
Would you mind if I cherry-picked only the commits affecting hardened-config? |
|
Note that initially it was only meant as a sandbox for testing
potentially controversial features, so I'm kind of meh on adding more
hardned variants apart from `latest`, but if somebody wants it then
I'm not against it.
I didn't notice any slowdowns after booting into it and `dmesg` now
clearly shows that I have some security problems, which has a nice
motivating effect :)
TBH, I think we shouldn't just enable most (except `PANIC_*` and
`DEBUG_*`) of those options by default. Users that need to run legacy
software can use an "insecure" kernel.
Would you mind if I cherry-picked only the commits affecting hardened-config?
Nah, feel free to pick whatever you like. But the last commit (xen)
depends on the first, so they are not exactly independent.
Also, the first commit, IMHO, needs to be merged to 17.09 too. I was
really surprised `features` didn't actually do anything (they have no
effect on `master`, `_xen_dom0` kernel has the same hash as the
default).
|
|
TBH, I think we shouldn't just enable most (except `PANIC_*` and
Oops, I meant "I think we should".
|
|
I agree some of the configs are "obviously good" and should be moved. I just find it tedious to do so (as it arguably should be, given the number of users affected compared to just the hardened-config). |
|
I've picked the hardened-config stuff. Will pick the features cleanup as well unless somebody objects. |
oxij
force-pushed
the
pkg/linuxPackages
branch
from
fb2c9f4
to
6e37c84
Compare
|
@GrahamcOfBorg eval |
|
@GrahamcOfBorg eval
undefined variable ‘linuxPackages_hardened_copperhead’ at
/home/grahamc/.nix-test-rs/repo/38dca4e3aa6bca43ea96d2fcc04e8229/mr-est/grahamc-laptop/pkgs/top-level/all-packages.nix:12829:31
Should I add an alias for that? Btw, not all the packages in those
`linuxPackages` evaluate (same as before this patchset).
|
oxij
force-pushed
the
pkg/linuxPackages
branch
from
6e37c84
to
0c78be6
Compare
|
- [X] Automated checks pass.
- [X] All kernels I touched compiled fine locally.
Its perfect.
|
oxij
force-pushed
the
pkg/linuxPackages
branch
from
0c78be6
to
e995d25
Compare
|
Rebased onto master (the 3rd time). Is there a problem with this? If you feel insecure about this, can't you just merge into staging or something?
|
oxij
force-pushed
the
pkg/linuxPackages
branch
from
e995d25
to
1a40482
Compare
oxij
force-pushed
the
pkg/linuxPackages
branch
from
1a40482
to
a522778
Compare
|
ping! |
|
@GrahamcOfBorg eval |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation for this change
featureswas broken. And nobody noticed for years.All the old hashes stay the same (not a mass rebuild, despite how it looks).
Things done
build-use-sandboxinnix.confon non-NixOS)nix-shell -p nox --run "nox-review wip"./result/bin/)