From af7fc05959a5962d25275bb451d4f943443a7746 Mon Sep 17 00:00:00 2001 From: Maximilian Bosch Date: Sat, 30 Dec 2023 11:38:31 +0100 Subject: linux/hardened: read min supported kernel from kernels-org.json This one isn't 4.14 anymore and that should've been updated while removing 4.14, but is easy to miss. Since it's not expected that we have versions older than the oldest mainline version from `kernels-org.json`, determine the minimum supported version by reading it from there. Also, this means lesser places to update when dropping old kernels. This needs an additional change for the mainline updater to make sure that no older versions appear there[1]. This will be implemented in the next commit. [1] At the time of implementing this, the oldest supported kernel was 4.19, however 4.14 wasn't EOL yet and thus still picked up by the mainline updater. --- pkgs/os-specific/linux/kernel/hardened/update.py | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) (limited to 'pkgs/os-specific/linux/kernel/hardened') diff --git a/pkgs/os-specific/linux/kernel/hardened/update.py b/pkgs/os-specific/linux/kernel/hardened/update.py index ce54c29807589..cb624ebe86b93 100755 --- a/pkgs/os-specific/linux/kernel/hardened/update.py +++ b/pkgs/os-specific/linux/kernel/hardened/update.py @@ -1,5 +1,5 @@ #! /usr/bin/env nix-shell -#! nix-shell -i python -p "python3.withPackages (ps: [ps.pygithub])" git gnupg +#! nix-shell -i python -p "python3.withPackages (ps: [ps.pygithub ps.packaging])" git gnupg # This is automatically called by ../update.sh. @@ -27,6 +27,8 @@ from typing import ( from github import Github from github.GitRelease import GitRelease +from packaging.version import parse as parse_version, Version + VersionComponent = Union[int, str] Version = List[VersionComponent] @@ -39,6 +41,11 @@ Patch = TypedDict("Patch", { }) +def read_min_kernel_branch() -> List[str]: + with open(NIXPKGS_KERNEL_PATH / "kernels-org.json") as f: + return list(parse_version(sorted(json.load(f).keys())[0]).release) + + @dataclass class ReleaseInfo: version: Version @@ -51,7 +58,7 @@ NIXPKGS_PATH = HERE.parents[4] HARDENED_GITHUB_REPO = "anthraxx/linux-hardened" HARDENED_TRUSTED_KEY = HERE / "anthraxx.asc" HARDENED_PATCHES_PATH = HERE / "patches.json" -MIN_KERNEL_VERSION: Version = [4, 14] +MIN_KERNEL_VERSION: Version = read_min_kernel_branch() def run(*args: Union[str, Path]) -> subprocess.CompletedProcess[bytes]: -- cgit 1.4.1