Getting rid of piled up security PRs

Hey all,

I’ve recently got merge rights and I’m planning to use my newly-gained powers to get on top of the security PR backlog. Stuck security fixes don’t provide value for our users and frustate the authors.

As my time is limited, I should be by no means the only person merging security PRs of course. Ad-hoc coordination takes place in #nixos-security on IRC.

I would be glad when also devs without merge right could help out. I’d encourage everyone to do independent reviews. Try out a patched version and comment your findings on the issue. This can significantly speed up the process.

Let’s make NixOS a distribution which delivers security fixes timely.

I underestimated how much work it is. The pile is still there, but we’re making progress.

What really seems to have improved is that more people make comments like “I tried it” or “I can confirm”. They may look little, but is a great help for maintainers. So please keep up. We’re getting on top of this.