Questions about security updates in NixOS with flake

Hi, I have been using NixOS for about a month, and I switched to use flake last week, it is great.
I want to know more about how NixOS handle security updates.

I noticed that there was a openssh vulnerability published about 10 days ago (CVE-2023-48795) which is a Terrapin attack, and I saw great people are working on it in github:
(libssh2: apply patch for CVE-2023-48795 by leona-ya · Pull Request #275641 · NixOS/nixpkgs · GitHub)
([Backport staging-23.11] libssh2: apply patch for CVE-2023-48795 by github-actions[bot] · Pull Request #276505 · NixOS/nixpkgs · GitHub).

I noticed that the patch was merged in NixOS:staging and staging-23.11 branches respectively.
But I have some questions about the process:

  1. What is a staging branch actually?
  2. Will it be eventually merged into the current nixos-23.11 branch?
  3. How long will it take on average for such security patch to merge in nixos-23.11?
  4. I am using flake.nix with configuration.nix with nixos-23.11 like here: Flakes - NixOS Wiki, how can I get the security update after the patch is merged in nixos-23.11? Can a simple sudo nixos-rebuild switch do that or do I need some special commands since I am using flake?
  5. How can I apply the patch right now?

Sorry for so many question asked at once. Thank you for your help!


nixos-23.11 already updated to the latest version (, just my flake prevent it from upgrading…my bad
I use the sudo nixos-rebuild switch --update-input nixpkgs -L --upgrade stated in Best practices for auto-upgrades of flake-enabled NixOS systems? - #2 by sinnlos23 to update successfully.

1 Like

As for staging*, I recommend