Timely updates for NixOS


OpenSSL 1.1.1u was released two weeks ago to fix some vulnerabilities. It was backported to 22.11 with [Backport staging-22.11] openssl_1_1: 1.1.1t -> 1.1.1u by github-actions[bot] · Pull Request #235017 · NixOS/nixpkgs · GitHub but since then, it is still in staging. This is just an example, but vulnerabilities take time to reach users, even without taking a detour to staging.

I don’t really have a solution but I was wondering if there is some work in-progress to deal with this?


I’m not aware. One full rebuild iteration takes normally roughly a week, and each of them fixes CVEs. We’re now supporting three separate branches for about a month or two, so a lag of three weeks is normal to happen, I’m afraid. Right now 22.11 has the lowest priority of the three AFAIK.

BTW, there’s replaceRuntimeDependencies as well, e.g. see OpenSSL 3.0.7 update (2022-11-01) FAQ


Thanks! The tool mentioned to track how far is the PR in a release is quite useful!

There’s also a labeltracker as an RSS feed: Pull requests labeled `1.severity: security' in NixOS/nixpkgs and Issues labeled `1.severity: security' in NixOS/nixpkgs which you can subscribe too.

I am working with the author and ideally the new infra team or nix-community, so we can promote it a bit better.

But work in this area definitely requires help.


So, for this particular case, let’s do 22.11 rebuild now. You can follow:

For those interested, this is what it currently shows for the backport PR linked in the OP: Nixpkgs PR #235017 ("[Backport staging-22.11] openssl_1_1: 1.1.1t -> 1.1.1u") progress

Sounds like it is about time to revive https://github.com/NixOS/nixpkgs/pull/10851

When I created this branch, people told me that this was not worth the complexity because security updates were shipping the next day.


I expect it’s still the same for the bulk of people fixing security issues in nixpkgs, but certainly it’s good to link that work.

Even if security updates were shipping the next day via Hydra, not everyone has the same resources to build that many packages. Your work would additionally make it viable to apply for example bugfix patches to often used library packages that aren’t likely to land in either upstream or nixpkgs any time soon, without having to wait days for every single update to build. It’s sad to hear that that is the reason why you’ve stopped working on it and I hope you reconsider.