Hello,
The glibc update to 2.38-66, to patch CVE-2024-2961, was opened and merged to staging-23.11 2 weeks ago (Apr 19): [23.11] glibc: 2.38-44 -> 2.38-66 by LeSuisse · Pull Request #304878 · NixOS/nixpkgs · GitHub
However, it took until april 28 for the actual rebuild to happen: Hydra - nixpkgs:staging-next-23.11, as part of staging-next-23.11 iteration 8.
Now, the patched glibc is sitting in staging-next-23.11, while release-23.11 continues with a 2 week old glibc vulnerability.
Understandably, the reviews and testing of mass rebuilds take time, as do the builds themselves. However, the 9-day gap from patch to staging-next when involving a widespread security fix is confusing to me. The staging documentation simply says that “Regularly, the staging branch is manually merged into a staging-next branch to be built by Hydra.” Was there a blocker that maintainers here had to wait for before merging at that time? From my understanding of the docs, staging-next-xx.yy is the major testing ground for these patches, not staging-xx.yy itself.
Especially considering that staging-next iterations tend to take >4 days to be merged to releases, why not start the process as soon as possible to get this patch released?