New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
linuxPackages: various changes #29440
Conversation
I'd merge the hardened-config stuff without much hesitation. Note that initially it was only meant as a sandbox for testing potentially controversial features, so I'm kind of meh on adding more hardened variants apart from The features stuff looks okay to me but it's outside my purview. |
Would you mind if I cherry-picked only the commits affecting hardened-config? |
Note that initially it was only meant as a sandbox for testing
potentially controversial features, so I'm kind of meh on adding more
hardned variants apart from `latest`, but if somebody wants it then
I'm not against it.
I didn't notice any slowdowns after booting into it and `dmesg` now
clearly shows that I have some security problems, which has a nice
motivating effect :)
TBH, I think we shouldn't just enable most (except `PANIC_*` and
`DEBUG_*`) of those options by default. Users that need to run legacy
software can use an "insecure" kernel.
Would you mind if I cherry-picked only the commits affecting hardened-config?
Nah, feel free to pick whatever you like. But the last commit (xen)
depends on the first, so they are not exactly independent.
Also, the first commit, IMHO, needs to be merged to 17.09 too. I was
really surprised `features` didn't actually do anything (they have no
effect on `master`, `_xen_dom0` kernel has the same hash as the
default).
|
TBH, I think we shouldn't just enable most (except `PANIC_*` and
Oops, I meant "I think we should".
|
I agree some of the configs are "obviously good" and should be moved. I just find it tedious to do so (as it arguably should be, given the number of users affected compared to just the hardened-config). |
I've picked the hardened-config stuff. Will pick the features cleanup as well unless somebody objects. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks fine to me. Thanks!
fb2c9f4
to
6e37c84
Compare
@GrahamcOfBorg eval |
@GrahamcOfBorg eval
undefined variable ‘linuxPackages_hardened_copperhead’ at
/home/grahamc/.nix-test-rs/repo/38dca4e3aa6bca43ea96d2fcc04e8229/mr-est/grahamc-laptop/pkgs/top-level/all-packages.nix:12829:31
Should I add an alias for that? Btw, not all the packages in those
`linuxPackages` evaluate (same as before this patchset).
|
6e37c84
to
0c78be6
Compare
- [X] Automated checks pass.
- [X] All kernels I touched compiled fine locally.
Its perfect.
|
0c78be6
to
e995d25
Compare
Rebased onto master (the 3rd time). Is there a problem with this? If you feel insecure about this, can't you just merge into staging or something?
|
e995d25
to
1a40482
Compare
1a40482
to
a522778
Compare
ping! |
@GrahamcOfBorg eval |
Motivation for this change
features
was broken. And nobody noticed for years.All the old hashes stay the same (not a mass rebuild, despite how it looks).
Things done
build-use-sandbox
innix.conf
on non-NixOS)nix-shell -p nox --run "nox-review wip"
./result/bin/
)