Why does pkgs.linux_hardened lag behind pkgs.linux?

As of now, for release-23.11, hardened is at 6.1.81 while linux is at 6.1.92.

For release-24.05, hardened is 6.6.31 which is behind linux at 6.6.32.

From quick glance at pkgs/top-level/linux-kernels.nix, it seems to be generated functionally using the same sources for linux.

I’ve been using NixOS since during 23.05 and this gap seems unpredictable. What’s causing this?

1 Like

This may help:

nix eval --json -L --impure \
  --expr 'with (builtins.getFlake "nixpkgs").legacyPackages.${builtins.currentSystem};
  builtins.map
    (k: builtins.unsafeGetAttrPos "src" k)
    [ linux linux_hardened ]
  ' | \
  jq .

When I read the files the above command prints, I suspect the version gap is related to:

Which specifies for each major version X.Y of a kernel a more specific and full version and a sha256 that are used eventually here:

If this small gap within the same major version bothers you, perhaps this is due to the hardened kernel patches maintainer, or perhaps you should run one of the supplied update scripts to fix this:

You mean to say you are afraid that the version bump between the nixos releases will cause you issues? I wouldn’t be afraid of that.

1 Like

Thanks for your detailed reply :slight_smile: and apologies for my late response.

If this small gap within the same major version bothers you, perhaps this is due to the hardened kernel patches maintainer

Since I’m talking about the kernel packaged in nixpkgs, patches.json not being updated regularly seems to be the cause. For nixos-23.11, this was last updated 3 months ago.

perhaps you should run one of the supplied update scripts to fix this

I guess I’ll need to maintain my own version of nixpkgs?! It’ll be convenient if I didn’t have to manually update it everytime and sync with upstream. I’ll try using github-actions.

You mean to say you are afraid that the version bump between the nixos releases will cause you issues?

No, I am talking during the same release here. I just took example of nixos-23.11 as I think that’s a huge gap between 6.1.81-hardened and 6.1.92.

Why don’t you make pull requests?

BTW this might be of interest to anyone reading this: