I agree fully that this is what i signed up for. and feel the same as you do There was a mitigation for it so that likely weighed heavily for Red Hat as for how much testing would be done/delay before releasing as well as Rocky deciding to wait for RHEL packages. If we could have an option to enable another repo for very high severity stuff that might save some servers from being attacked though, That I think would be beneficial. If that emergency breaking of 1:1 is in-line with the goal of Rocky Linux though is the real question. Up until this point, I assumed was not the goal and 1:1 was the goal.
I think the bigger question is why did Red Hat take so long to release patches? If it were released several days ago, rocky would have got it maybe a day later.
Maybe it just takes that long for them to test all of their variations to meet their expected quality. Maybe some other reason good or bad. Hopefully this is the exception but if this is going to be the norm for RHEL for a high severity issue like this, then maybe having a separate repo for those that want to allow a break for 1:1 for very high severity vulnerabilities that RH taking too long for, would be beneficial to many users. Yes you could use a mitigation, but there will always be some systems that are not got to in time where an emergency update might have saved a system.
Lots of things to think about that though. Do rocky developers always jump on trying to patch very high severity stuff and abort it if RH gets it out before they do? Do Rocky devs wait hours day/days before putting effort in? Lots of details to think about I think that would really need to be defined to know what the actual bar is that is trying to be set to make sure that bar is being met consistently. Or just keep it 1:1 and know that is what we signed up for too.