Pin nixpkgs to a stable release (nixos-26.05) instead of unstable? #11

New issue

Closed

opened 2026-06-18 08:37:04 +00:00 by bram.buijs · 1 comment

bram.buijs commented 2026-06-18 08:37:04 +00:00

Collaborator

Copy link

Observation

flake.nix tracks nixos-unstable with a nixos-25.11 stable fallback. 25.11
is close to end of life, and unstable means the workstation moves with the
rolling channel.

For a government workstation a pinned stable release is usually the safer
posture (predictable, security-patched within the release). I've been running
the config on nixos-26.05 (the current stable) and it evaluates green across
the hosts.

Question

Is nixos-unstable a deliberate choice (tracking latest), or would a pin to
nixos-26.05 be welcome? If welcome I'll open the (small) PR. Flagging it as a
question first rather than just sending the PR, since it's a repo-wide policy
call.

## Observation `flake.nix` tracks `nixos-unstable` with a `nixos-25.11` stable fallback. 25.11 is close to end of life, and unstable means the workstation moves with the rolling channel. For a government workstation a pinned stable release is usually the safer posture (predictable, security-patched within the release). I've been running the config on `nixos-26.05` (the current stable) and it evaluates green across the hosts. ## Question Is `nixos-unstable` a deliberate choice (tracking latest), or would a pin to `nixos-26.05` be welcome? If welcome I'll open the (small) PR. Flagging it as a question first rather than just sending the PR, since it's a repo-wide policy call.

bram.buijs referenced this issue 2026-06-18 08:37:05 +00:00

feat: overheid baseline (hardening opt-in, users, T495s host, 26.05 pin) #7

rutger.putter commented 2026-06-18 09:38:58 +00:00

Collaborator

Copy link

Agreed an approved ✅. This might prevent some "unexplained" behavior in the unstable branch.
I would still like to have an overlay for unstable packages if we require an more updated version of a specific package.

If you have the bandwidth: go ahead and create the PR and I'll review/merge.

Agreed an approved ✅. This might prevent some "unexplained" behavior in the unstable branch. I would still like to have an overlay for unstable packages if we require an more updated version of a specific package. If you have the bandwidth: go ahead and create the PR and I'll review/merge.

bram.buijs referenced this issue from a pull request that will close it, 2026-06-18 12:08:11 +00:00

feat(nixpkgs): pin nixos-26.05 and add an unstable overlay #17

bram.buijs referenced this issue 2026-06-18 12:13:30 +00:00

docs(architecture): record key design decisions as ADRs #22

rutger.putter closed this issue 2026-06-22 08:42:33 +00:00

rutger.putter referenced this issue from a commit 2026-06-22 08:42:34 +00:00

feat(nixpkgs): add an unstable overlay for cherry-picking newer packages

rutger.putter added the

Kind/Enhancement

Kind/Security

labels 2026-06-22 09:20:39 +00:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

release/0.1.0

No results found.

Labels

Clear labels   

Compat/Breaking

Breaking change that won't be backward compatible

  

Kind/Bug

Something is not working

  

Kind/Discussion

Any topic that needs discussion before a technical solution is accepted

  

Kind/Documentation

Documentation changes

  

Kind/Enhancement

Improve existing functionality

  

Kind/Feature

New functionality

  

Kind/Security

This is security issue

  

Kind/Testing

Issue or pull request related to testing

  

Priority

Critical

The priority is critical

  

Priority

High

The priority is high

  

Priority

Low

The priority is low

  

Priority

Medium

The priority is medium

  

Reviewed

Confirmed

Issue has been confirmed

  

Reviewed

Duplicate

This issue or pull request already exists

  

Reviewed

Invalid

Invalid issue

  

Reviewed

Won't Fix

This issue won't be fixed

  

Status

Abandoned

Somebody has started to work on this but abandoned work

  

Status

Blocked

Something is blocking this issue or pull request

  

Status

Help Wanted

If you're looking to help out, start here

  

Status

Need More Info

Feedback is required to reproduce issue or to continue work

  

Prio - Hoog

Hoge prioriteit

  

Prio - Laag

Lage prioriteit

  

Prio - Middel

Medium prioriteit

  

styling

Verbeteringen aan de styling

No labels

Compat/Breaking

Kind/Bug

Kind/Discussion

Kind/Documentation

Kind/Enhancement

Kind/Feature

Kind/Security

Kind/Testing

Priority

Critical

Priority

High

Priority

Low

Priority

Medium

Reviewed

Confirmed

Reviewed

Duplicate

Reviewed

Invalid

Reviewed

Won't Fix

Status

Abandoned

Status

Blocked

Status

Help Wanted

Status

Need More Info

Prio - Hoog

Prio - Laag

Prio - Middel

styling

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

2 participants

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

MinBZK/DAWO-NixOS#11

No description provided.