Hi, I have been using NixOS for about a month, and I switched to use flake last week, it is great.
I want to know more about how NixOS handle security updates.
I noticed that there was a openssh vulnerability published about 10 days ago (CVE-2023-48795) which is a Terrapin attack, and I saw great people are working on it in github:
(libssh2: apply patch for CVE-2023-48795 by leona-ya · Pull Request #275641 · NixOS/nixpkgs · GitHub)
and
([Backport staging-23.11] libssh2: apply patch for CVE-2023-48795 by github-actions[bot] · Pull Request #276505 · NixOS/nixpkgs · GitHub).
I noticed that the patch was merged in NixOS:staging
and staging-23.11
branches respectively.
But I have some questions about the process:
- What is a staging branch actually?
- Will it be eventually merged into the current
nixos-23.11
branch? - How long will it take on average for such security patch to merge in
nixos-23.11
? - I am using
flake.nix
withconfiguration.nix
withnixos-23.11
like here: Flakes - NixOS Wiki, how can I get the security update after the patch is merged innixos-23.11
? Can a simplesudo nixos-rebuild switch
do that or do I need some special commands since I am using flake? - How can I apply the patch right now?
Sorry for so many question asked at once. Thank you for your help!