I use NixOS on my desktop, laptop, and on all new server deployments. It's definitely a learning curve, especially considering the documentation is nowhere near as good as it should be yet, but absolutely worth it in the long run; and I rarely run into unavailability of software.
Security updates are indeed sometimes slow to arrive, for the reasons that aidenn0 already described. However! One thing that's particularly interesting about the security update process for NixOS, is that it's an open collaborative effort: https://github.com/NixOS/nixpkgs/issues/23334
More eyeballs are definitely needed for handling security issues, especially since LWN stopped doing their reports, but the process itself is definitely one that has significant potential.
First with the naive, as-described nix there are two options:
* For updates to propagate through all the build servers takes a day or two, so you can just be insecure for 48 hours
* Or, you can always build your packages yourself by setting your update channel to just be the head of the nix repository, but now you won't get binary caches for anything that has had its source updated since the last build. This actually works better than you might think, but is still a no-go for most people.
Both of those suck, so there is something called replaceDependency[1] that lets you define a package in terms of the already built-package and a new version of the library. This lets you quickly get a security update in a shared-library out to multiple slow-to-build packages quickly.
1: https://github.com/NixOS/nixpkgs/blob/master/pkgs/build-supp...
The existing way is to use replaceDependency(), which takes an input as an already built package and as an output the same binary but with different RPATHs for the shared objects. This however is just stopgap, as other approaches are being discussed. Since I'm not running a server, I haven't followed it as closely as I perhaps should
This is patently false. There is a stable release every six months, and a team dedicated to patching the stable release. I'm surprised you missed this, as it's right there in the first sentence of the download page: https://nixos.org/nixos/download.html
You have the option of following the master nixpkgs branch, or one of several "channels" which are essentially tested checkouts of the main nixpkgs repo. There are both stable release channels (i.e. nixos-18.09) and unstable channels (i.e. nixos-unstable).
It's not immediately clear to me that there's an "lts" or "stable" that would allow easy security only updates, preferably in an automatic fashion? Or is this one issue a special case where a) the admin must see the announcement, and b) manually act to secure systems?
Updates are committed to the stable nixpkgs branch. These then propagate through the channel. NixOS has a configuration option to enable automatic upgrades[1], which periodically pulls the latest nixpkgs checkout from the channel you're following, rebuilds the system, and switches to that configuration.
Currently, there's no real support period for non-latest releases, as there's insufficient manpower to support them.
That's not for philosophical or ideological reasons, though; if somebody steps up and takes on the role of coordinating long-term support, it'd be welcomed.
