I’m considering using NixOS in production. For this it is vital that any security flaws are fixed timely.
The NixOS Security page talks about “security releases.” Are these only concerned with security fixes in NixOS-specific software (like the Nix package manager), or are these about security fixes in any software contained in NixOS (like mail servers and desktop environments)? How quickly are security fixes released compared to other Linux distributions?
Hey there,
The mailing list has fallen in to a bit of disrepair lately, however it is not an indication of a lack of security patching effort. It just turns out that sending these emails is a whole lot of work.
The team and the NixOS security community take timely patching seriously and work hard to have timely patches available in production. The security team works on security issues for all of Nix’s ecosystem, and all of the packages in NixOS.
NixOS’s patch release time is quite fast. Compared to RedHat, NixOS frequently has faster patch cycles: because we ship more modern versions of software we don’t have to backport patches to old software.
Our patch coverage is also pretty good, but not perfect. I don’t have good data here.
Many companies use NixOS in production already, including some very large corporations and banks.
If your use case requires an exceptionally careful attention to detail which our all-volunteer staff can’t provide, I’d be happy to talk to you about something like a support contract which would let us pay people and grow the team.
Some quick advice: stick to the current stable release, patches are released most quickly through that channel.
I hope this helps!
Graham
Thanks a lot for this information. That sounds very reassuring. 