-
-
Notifications
You must be signed in to change notification settings - Fork 13.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/doc/releases: Do not tag the release #124364
Conversation
I have seen a customer use the release tag as a pinned version and the same can happen in flake input urls or similar input configs, like `niv --branch`. This results in a out of date version of the _all_ system packages, putting users at risk of security vulnerabilities and other issues that are addressed during the lifetime of a Nixpkgs/NixOS release. So clearly the tag poses a risk, but does it have a benefit? I don't think so. It does not name the branch-off point, so we don't need it for git operations. It does not represent the best or canonical version of the release either, as further fixes always occur after the release date. If it were the case, we'd tag all channel updates, but we don't, so for the same reasons, we should not tag the release.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/removing-the-nixos-release-tag/13255/1 |
Please stick to tagging the release branch-off commit! It's useful when |
Thank you @NobbZ. |
I also find it confusing that the tags point to an essentially random revision (and might have made the same mistake as your customer). I don't think we use this tag anywhere either; even the ISO downloads are made from the release-* branch. |
Maybe we could use a different name for the branch-off tag, like |
This is the wrong location for doing release documentation updates. the release guide has moved to https://github.com/NixOS/release-wiki |
hmm, guess I should remove the reference to this section in the current docbook build |
I guess discussion on this can continue in the https://github.com/NixOS/release-wiki repo. |
|
I have seen a customer use the release tag as a pinned version
and the same can happen in flake input urls or similar input
configs, like
niv --branch
.This results in a out of date version of the all system
packages, putting users at risk of security vulnerabilities
and other issues that are addressed during the lifetime of a
Nixpkgs/NixOS release.
So clearly the tag poses a risk, but does it have a benefit?
I don't think so. It does not name the branch-off point, so we
don't need it for git operations. It does not represent the
best or canonical version of the release either, as further
fixes always occur after the release date. If it were the case,
we'd tag all channel updates, but we don't, so for the same
reasons, we should not tag the release.
Motivation for this change
Always use the latest version.
Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)