Skip to content

nixos/profiles: remove hardened#501199

Merged
zowoq merged 1 commit intoNixOS:masterfrom
qowoz:rm-nixos-hardening
Mar 22, 2026
Merged

nixos/profiles: remove hardened#501199
zowoq merged 1 commit intoNixOS:masterfrom
qowoz:rm-nixos-hardening

Conversation

@zowoq
Copy link
Contributor

@zowoq zowoq commented Mar 19, 2026

Things done

  • Built on platform:
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • Tested, as applicable:
  • Ran nixpkgs-review on this PR. See nixpkgs-review usage.
  • Tested basic functionality of all binary files, usually in ./result/bin/.
  • Nixpkgs Release Notes
    • Package update: when the change is major or breaking.
  • NixOS Release Notes
    • Module addition: when adding a new NixOS module.
    • Module update: when the change is significant.
  • Fits CONTRIBUTING.md, pkgs/README.md, maintainers/README.md and other READMEs.

@zowoq zowoq mentioned this pull request Mar 19, 2026
Closed
13 tasks
@zowoq zowoq requested a review from emilazy March 19, 2026 02:32
@nixpkgs-ci nixpkgs-ci bot requested review from a team and GetPsyched March 19, 2026 02:36
@nixpkgs-ci nixpkgs-ci bot added 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 6.topic: kernel The Linux kernel 8.has: changelog This PR adds or changes release notes 8.has: module (update) This PR changes an existing module in `nixos/` 8.has: documentation This PR adds or changes documentation labels Mar 19, 2026
GetPsyched
GetPsyched suggested changes Mar 19, 2026
View reviewed changes
nixos/doc/manual/redirects.json
Comment on lines -1683 to -1685
"sec-profile-hardened": [
"index.html#sec-profile-hardened"
],
Copy link
Member

@GetPsyched GetPsyched Mar 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's have an anchor on the release notes entry and have this element moved into its list.

Similar

Copy link
Contributor Author

@zowoq zowoq Mar 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't understand what you're asking for. If you want changes to the docs post the diff and I'll include it.

Copy link
Member

@GetPsyched GetPsyched Mar 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Following in the release notes entry:

- []{#sec-release-26.05-incompatibilities-profiles-hardened-removed} `profiles/hardened` has been removed, because:

And following in the redirects.json:

  "sec-release-26.05-incompatibilities-profiles-hardened-removed": [
    "release-notes.html#sec-release-26.05-incompatibilities-profiles-hardened-removed",
    "index.html#sec-profile-hardened"
  ],

It's the same as I linked in the previous comment.

r-vdp
r-vdp approved these changes Mar 19, 2026
View reviewed changes
Copy link
Contributor

@r-vdp r-vdp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm in favour, I've seen several issues opened by people using this profile and running into random breakage.

@nixpkgs-ci nixpkgs-ci bot added the 12.approvals: 1 This PR was reviewed and approved by one person. label Mar 19, 2026
@alyssais
Copy link
Member

alyssais commented Mar 20, 2026

Not opposed but would like to see it justified in the commit message.

@emilazy
Copy link
Member

emilazy commented Mar 20, 2026

The justification in the release notes the commit adds is even better (because visible to users), right?

@nixpkgs-ci nixpkgs-ci bot added 12.approvals: 2 This PR was reviewed and approved by two persons. and removed 12.approvals: 1 This PR was reviewed and approved by one person. labels Mar 20, 2026
@GetPsyched
Copy link
Member

GetPsyched commented Mar 20, 2026

Please do not merge until a redirect is added (#501199 (comment)).

Request to committers in general while reviewing:

Please avoid merging if appropriate redirects haven't been added wherever applicable. Dropping entries from redirects.json beats the point of having that system. Also see: #353513

@felbinger @zowoq
nixos/profiles: remove hardened
18a4528 
- It lacks a consistent and transparent baseline or standard,
- It may introduce unexpected breakage or degrade performance without clear benefit,
- It is difficult to manage user expectations, especially since the implications of enabling it are not always obvious,
- and as multiple contributors have noted, it is often more of a “grab bag” of settings than a cohesive security policy.
@zowoq zowoq force-pushed the rm-nixos-hardening branch from e4a2f86 to 18a4528 Compare March 20, 2026 23:53
GetPsyched
GetPsyched approved these changes Mar 21, 2026
View reviewed changes
Copy link
Member

@GetPsyched GetPsyched left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@fricklerhandwerk did we also care about ordering in redirects.json? IIRC we didn't enforce it per-se, and had the CLI not auto-sort keys.

@nixpkgs-ci nixpkgs-ci bot added 12.approvals: 3+ This PR was reviewed and approved by three or more persons. and removed 12.approvals: 2 This PR was reviewed and approved by two persons. labels Mar 21, 2026
@Ma27
Copy link
Member

Ma27 commented Mar 21, 2026

IIRC we didn't enforce it per-se

If it's not enforced by tooling, I'd say there's zero reason to push the work onto humans.

@fricklerhandwerk
Copy link
Contributor

fricklerhandwerk commented Mar 21, 2026
edited
Loading

We converged on not enforcing it because it would keep the minimum required diff smaller. Otherwise you may have situations where a rename would also be a moving, and that would make reviews more of a hassle. (Maybe worth noting in the design doc! @GetPsyched could you add a sentence there?)

But yes, please don't just ditch old URLs.

@Golbinex
Copy link
Contributor

Golbinex commented Mar 22, 2026

If this gets merged, I'll at least add explained profile options to new "NixOS Hardening" wiki page so users interested in hardening will still have some guide.

@zowoq zowoq added this pull request to the merge queue Mar 22, 2026
Merged via the queue into NixOS:master with commit 1f69b21 Mar 22, 2026
30 of 32 checks passed
@zowoq zowoq deleted the rm-nixos-hardening branch March 22, 2026 23:26
@Golbinex Golbinex mentioned this pull request Mar 24, 2026
Merged
13 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@r-vdp r-vdp r-vdp approved these changes

@Ma27 Ma27 Ma27 approved these changes

@emilazy emilazy Awaiting requested review from emilazy

+1 more reviewer

@GetPsyched GetPsyched GetPsyched approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

6.topic: kernel The Linux kernel 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: changelog This PR adds or changes release notes 8.has: documentation This PR adds or changes documentation 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. 12.approvals: 3+ This PR was reviewed and approved by three or more persons.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

9 participants

@zowoq @alyssais @emilazy @GetPsyched @Ma27 @fricklerhandwerk @Golbinex @r-vdp @felbinger