Released in nixos-20.09 on Mar 16 16:31:31 UTC (four days later)
Again, four days is not great for a Chrome zero-day. NixOS doesn't have a professional security team, and if you need that assurance, maybe you can't use it. But please don't exaggerate and muddy the facts.
Most of the delay is due to hydra having to build everything that came in ahead of that change on the master branch, and sometimes the master branch is just broken.... I wish there was a fast-track process that could bump urgent security changes ahead of other ones, but it seems like it could complicate things a lot.
Of course, as I said above, it's relatively easy for you to update your local install without waiting for all that, if you're aware of the release and its severity.
Version bump in nixpkgs: https://github.com/NixOS/nixpkgs/commit/5f8b95113983c8f31d63... on March 13 (one day later)
Released in nixos-unstable on Mar 16 11:11:22 UTC (four days later)
Backport to 20.09: https://github.com/NixOS/nixpkgs/commit/26ba8cd77b5a4408799f... on March 13 (one day later)
Released in nixos-20.09 on Mar 16 16:31:31 UTC (four days later)
Again, four days is not great for a Chrome zero-day. NixOS doesn't have a professional security team, and if you need that assurance, maybe you can't use it. But please don't exaggerate and muddy the facts.
Most of the delay is due to hydra having to build everything that came in ahead of that change on the master branch, and sometimes the master branch is just broken.... I wish there was a fast-track process that could bump urgent security changes ahead of other ones, but it seems like it could complicate things a lot.
Of course, as I said above, it's relatively easy for you to update your local install without waiting for all that, if you're aware of the release and its severity.