All that sounds very reasonable, and thank you for your perspective and time!
So what about just emptying the profile and starting fresh?
Here’s where I’m coming from on this: Yesterday (thanks to some corpo press release that made the rounds but isn’t worth linking) I learned about io_uring. Clearly many people involved in Linux infosec have known about io_uring since years ago, but I’m not one of those people. In particular, I learned that Google considers io_uring to be a major source of vulnerabilities and consequently disables it on ChromeOS and their production servers, and I believe RHEL ships with it disabled as well.
Now, I freely admit to being a cargo-cult infosec amateur, but I see those things and I think, maybe I want this disabled too. Does NixOS disable it by default? No, it turns out, though grepping Nixpkgs throws up some comments that suggest that the Nix sandbox does. Should NixOS disable it by default? I have no idea! On the one hand, it seems like this is a feature that is connected to performance, and someone out there will be unhappy if disabling io_uring costs them 5 FPS on whatever the shooter game of the day is. On the other hand, I don’t know what I’m doing, but Google and RHEL probably do?
But I don’t want to just sit on my new-found amateur-level knowledge and hoard it in my own config, leaving other people to learn it for themselves the same way I did or remain in blissful ignorance. That’s not the FOSS way. So I opened this PR, because hardened.nix seems like exactly the right place for this kind of speculative-but-also-not-entirely-ungrounded config tweak that might make your system more secure, no guarantees, this does not constitute professional infosec advice.
So… if we gut all the cruft out of hardened.nix, but still leave it around for PRs like mine, then I still have a place to share this and have other community members participate in the conversation about whether it’s appropriate and helpful or not, just like everything else in Nixpkgs.
If we remove it entirely, I’m left ‘owning’ my own configuration, and it helps nobody else, and it doesn’t even help me as much as it could if other people were looking at it—even very occasionally!—and helping to come up with reasons like the ones you go into for why it does or doesn’t make sense. Who benefits from doing that?