Hi everyone,
I’ve submitted a pull request to deprecate the hardened profile, see profiles/hardened: deprecate profile by felbinger · Pull Request #383438 · NixOS/nixpkgs · GitHub
The current profile enables a wide range of hardening options by default, but over time it has become clear that:
- It lacks a consistent and transparent baseline or standard,
- It may introduce unexpected breakage or degrade performance without clear benefit,
- It is difficult to manage user expectations, especially since the implications of enabling it are not always obvious,
- and as multiple contributors have noted, it is often more of a “grab bag” of settings than a cohesive security policy.
We’ve discussed this extensively in the nixpkgs / NixOS contributions matrix channel. The consensus among several maintainers (including K900 and emilazy) is that it’s time to remove this profile entirely rather than continue maintaining something that may give users a false sense of security or create unpredictable outcomes.
If you are currently using this module, I’d really appreciate hearing your perspective on this change. The idea is to post this proposal here, give it about a week for feedback, and then proceed with the merge if there are no strong objections.
Thanks in advance for your feedback!
Nico