How long are security updates ported to 19.09?

Hi, I’m completely new to Nixos, so please excuse my ignorance
but, what is the policy regarding cve or security issues in the stable release of NixOS 19.09? Are fixes backported or is the package upgraded to the next release?

I noticed cupsd is on version 2.2.12, while in December version 2.2.13 was released with a security fix (CVE-2019-2228). But, I did not see this in the list mentioned above.

(I split your question into its own topic.)

The previous stable version is usually supported with backports (security or otherwise) for about 1 month after the latest stable version release. That said, it is a community effort to do the backports, we don’t have anyone working on it full time or anything.

Is the question about what to do with the 19.09 package?

  1. add just the patch that fixes the CVE
  2. upgrade to 2.2.13 [doesn’t exist in master which went 2.2.12 → 2.3.0]
  3. backport 2.3.1 from master

I’d say option 2. has low enough chance of breaking anything and doesn’t require much work so I’d go with that. Though I’m quite new here too so someone more experienced please correct me if that’s not right.

1 Like

Yes! Please go ahead and file a PR for that. Feel free to ping me on
there (@andir).