As one of the maintainers of the Linux kernels in nixpkgs (and also taking care of backports and thus also removals)
First of all, thank you for the time you’re investing in maintaining this critical part of NixOS!
First of all the obvious: continuing to maintain these (as other distros probably do) is not an option. We lack manpower and (most likely) in-depth knowledge to do it in a reliable way.
What is the typical amount of maintenance that fixed version kernel requires? I understand that every time a kernel-related change is proposed for Nixpkgs, it needs to be compatible with all current kernel packages. So the workload likely grows with the amount of supported kernels. But I can also imagine that unsupported kernel could account for more issues, compared to LTS kernels. What I wonder is how much work is this in practice? Are talking about something on the scale of a few hours per week, per month or per year? I’m trying to better understand how the Nixpkgs maintainers workload would be impacted by keeping EOL-ed kernels around for a bit longer.
To get back to the original problem: I’m afraid that too many people will do that without thinking too much about the consequences and if people have a 0day exploit on their system then, the bad press will probably get back to us.
One of my NixOS machines is a laptop with AMD CPU and nVidia GPU released this year. IIRC, Linux 5.17 was the first kernel that properly supported this machine (the most essential features, there’s still some minor driver stuff that will likely be fixed with 6.1 / 6.2), so using an 5.15 is simply not an option. On the other hand, I am also using ZFS, so 5.19 is still the only option for me, since 6.0 is not yet supported by ZFS (stable).
I’d really appreciate if you could take a moment to think about people in situations similar to mine, and suggest a proper way forward, as from your post it sounds like you’re implying that one should either:
- not use NixOS (god forbid one becomes a victim of zero day exploit and dares to publicly blame NixOS for their misfortunes it in the press)
- not use ZFS (perhaps it should removed from nixpkgs?)
- not use new hardware (?!)
From my simplistic point of view, the principled (*) solution is to either completely eliminate ZFS and nVidia support from Nixpkgs entirely or: accept the simple rule (I haven’t thought much about it, so it can most likely be improved) that boot.zfs.package.latestCompatibleLinuxPackages
should never be downgraded and that it should always point to a version that is also compatible with nvidia’s unfree proprietary driver. If that means keeping one EOL kernel, simply mark its package as insecure and let users take the risk if they want.
(*) I’m saying “principled” as I think that if maintainers don’t want to maintain certain features (with the complex interactions that they may bring) they should simply not keep them in the codebase and advertise them as supported or they should be supported to the extent practically possible.
[…] But still, most of the people just enabled it and even tutorials advertised that without talking too much about the consequences and now people seem surprised that things change within e.g. the source tree abstraction.
I really don’t get why we are even discussing this. Every user is making a choice with how they’re managing their system. If something was marked as “experimental”, “insecure” or “broken”, the users have willingly taken the risk and have no one to blame if something goes wrong but themselves. But the situation is also not black and white - one makes the risk-benefit analysis for their particular situation and decides whether e.g. using flakes is worth the risk.
Please excuse me for sounding overly confrontational, and not appreciative of work that all Nixpkgs maintainers are putting in, but to me it seems illogical to take positions out of fear of the mere potential for “bad press” (e.g. being against keeping EOL-ed kernel as insecure package) but at the same time straight up breaking existing users’ setup (by removing the only kernels that supported their setup from the stable Nixpkgs branch).