I don’t know if this is the right place to ask. I’m interested if NixOS has the same status/priority from security researchers as other popular distributions (e.g. Debian or Ubuntu) in regard to getting timely notified about vulnerabilities? I am quite new to this, so maybe this question is already answered or common knowledge.
The context is that I am evaluating if NixOS could be used for an embedded device that is exposed to the internet. I would like to know if we have a chance to timely patch those devices.
The rsync vulnerability [0] triggered my interest, as it states that NixOS was notified on 2024-11-25. NixOS development happens in the public on github, right? But these disclosures must somehow happen in background so that stuff can be prepared (PRs, etc.?)
Also, is it a disadvantage that NixOS needs a public PR for patching the software and then a time to roll this out to the cache?
It depends as we are not on the linux-distros mailing list but we have been part of cases coordinated by CERT/CC.
The Xen team also have access to the Xen pre-disclosure list.
Yes the development occurs in public on GH and there is no possibility for us to “pre-build” something.
However having access to the disclosure cases allows the Security Team to do some work in advance:
we can test the patches and confirm the package, direct dependencies (at least some of them) and variants like pkgsStatic or pkgsCross.* still build, NixOS tests still succeed and so on
For context, I believe the main reason for that is the inability (of our current infra) to prepare non-public binaries and therefore limited benefits from being notified in advance (and them trying to restrict the information where it doesn’t help a lot).