July 1st 6.36am GMT+2 – OpenSSH release 9.8 to patch the vulnerability
July 1st 11.00am GMT+2 – emilazy opened a PR applying the patch to Nixpkgs
July 1st 3.15pm GMT+2 – CVS published via GitHub Security Advisor

According to one of my servers I run a system update July 1st at 9pm UTC (11pm GMT+2) if I am doing the conversion correctly.

stat -c %w /run/current-system
2024-07-01 21:11:19.291938167 +0000

NOTE: this trick to know about a last deploy works as long as the system didn’t reboot.

I just run a couple of public facing servers and this time I had the opportunity and the time to track my progress, but I like the simplicity and the timeline I see here. I was able to deliver a security vulnerability from program release to server delivery in 17 hours without rushing since I am not running critical systems.

Let me know about your experience!