It depends as we are not on the linux-distros mailing list but we have been part of cases coordinated by CERT/CC.
The Xen team also have access to the Xen pre-disclosure list.
Yes the development occurs in public on GH and there is no possibility for us to “pre-build” something.
However having access to the disclosure cases allows the Security Team to do some work in advance:
- we can test the patches and confirm the package, direct dependencies (at least some of them) and variants like
pkgsStatic
orpkgsCross.*
still build, NixOS tests still succeed and so on - we can have a commit ready to be published for the coordinated disclosure date and save a bit of time; in the rsync case rsync: apply patches for 6 vulnerabilities by LeSuisse · Pull Request #373784 · NixOS/nixpkgs · GitHub it is notably why the patches are vendored instead of being fetched from the rsync Git repo as they were not yet pushed when we opened the PR
- determine if there are ways to mitigate the issue via specific options or hardening
- for more complex situations it also allow us to prepare an announcement with specific information for nixpkgs/NixOS users (e.g. cups, cups-filters and libppd security issues)
All of that help to provide the fixes for coordinated disclosures in a timely manner.