Until now we merged kernel updates even if no hardened versions were
available yet. On one hand we don't want to delay patch-level updates,
on the other hand users of hardened kernels have frequent breakage now[1].
This change aims to provide a solution this issue:
* The hardened patchset now references the kernel version it's released
for (including a sha256 hash for the fixed-output path of the source
tarball).
* The `hardenedKernelFor`-function doesn't just append hardened patches
now, but also overrides version & src to match the kernel version the
patch was built & tested for.
Refs #140281
[1] https://hydra.nixos.org/job/nixos/trunk-combined/nixpkgs.linuxPackages_hardened.kernel.x86_64-linux/all
Now there are a few more folks who should get pinged on kernel changes:
$ nix-instantiate -E 'with import ./. {}; (map (x: x.github) linux.meta.maintainers)' --eval --strict
[ "TredwellGit" "mweinelt" "ma27" "nequissimus" "alyssais" "thoughtpolice" ]
Refs #140281
This reverts commit 98ae18fa62.
Appearantly the consens is that a broken kernel is preferred over a
working one that is based on an outdated kernel:
98ae18fa62
linux: build DTBs in buildPhase, install with everything else
This improves build speed, especially on machines with lots of cores
such as the aarch64 community box and hydra builders.
The default version (modprobe-small) is missing important features,
and can also be _extremely_ slow (on purpose[1]).
The non-small modprobe implementation doesn't have all features
enabled by default, so by changing implementation we'd be risking
regression. To mitigate that, I've ensured every feature checked for
in modprobe.c is enabled. So unless there's functionality that's
_only_ in modprobe-small, we should be fine.
[1]: https://git.busybox.net/busybox/tree/modutils/Config.src?h=1_34_1#n8
