Why is unpatched glibc 2.38-44 still on latest stable 23.11?

The glibc update to 2.38-66, to patch CVE-2024-2961, was opened and merged to staging-23.11 2 weeks ago (Apr 19): [23.11] glibc: 2.38-44 -> 2.38-66 by LeSuisse · Pull Request #304878 · NixOS/nixpkgs · GitHub

However, it took until april 28 for the actual rebuild to happen: Hydra - nixpkgs:staging-next-23.11, as part of staging-next-23.11 iteration 8.

Now, the patched glibc is sitting in staging-next-23.11, while release-23.11 continues with a 2 week old glibc vulnerability.

Understandably, the reviews and testing of mass rebuilds take time, as do the builds themselves. However, the 9-day gap from patch to staging-next when involving a widespread security fix is confusing to me. The staging documentation simply says that “Regularly, the staging branch is manually merged into a staging-next branch to be built by Hydra.” Was there a blocker that maintainers here had to wait for before merging at that time? From my understanding of the docs, staging-next-xx.yy is the major testing ground for these patches, not staging-xx.yy itself.

Especially considering that staging-next iterations tend to take >4 days to be merged to releases, why not start the process as soon as possible to get this patch released?

Typically it’s because the build farm is too busy with other work. There isn’t just one expensive branch, there’s mainly staging-next and staging-next-23.11 but also other significant work sometimes.