this post was submitted on 20 Jul 2023

672 points (96.5% liked)

Linux

48031 readers

797 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
No misinformation
No NSFW content
No hate speech, bigotry, etc

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago

MODERATORS

nooter692@lemmy.ml

AgreeableLandscape@lemmy.ml

MarcellusDrum@lemmy.ml

cypherpunks@lemmy.ml

cyclohexane@lemmy.ml

d3Xt3r@lemmy.nz

672

Red Hat refuses Alma's CVE patches to CentOS Stream; says "no customer demand" (i.redd.it)

submitted 1 year ago* (last edited 1 year ago) by cleric_splash@lemmy.world to c/linux@lemmy.ml

90 comments fedilink hide all child comments

https://gitlab.com/redhat/centos-stream/rpms/iperf3/-/merge_requests/5

top 50 comments

sorted by: hot top controversial new old

[–] yarn@sopuli.xyz 226 points 1 year ago* (last edited 1 year ago) (7 children)

I haven't been really keeping up with this RHEL drama, so I'm probably going to regret making this comment. But about this bug merge request in particular, you have to remember that RHEL's main target audience is paying enterprise customers. It's the "E" right there in RHEL. So stability is a high priority for their developers, since if they accidentally introduce a bug to their code, then they'll have a lot of unhappy paying customers.

The next comment that was cropped out of that screenshot basically explains exactly that. While the Red Hat developers probably appreciate the bug fix, the reality is that the bug was listed as non-critical, and the Red Hat teams didn't have the capacity to adequately regression test and QA the merge request. But the patch was successfully merged into Fedora, so it will eventually end up in RHEL through that path, which is exactly what the Fedora path is for.

The blowup about this particulat bug doesn't seem justified to me. Red Hat obviously can't fix and regression test every single bug that's listed in their bug tracker. So why arbitrarily focus on this one medium priority bug? if it were listed as a critical bug, then yes, the blowup would be justified.

[–] exu@feditown.com 113 points 1 year ago (2 children)

In its blog post Red Hat specifically called out downstream distributions for not contributing anything to the development of RHEL and that they should be making fixes to CentOS Stream. Well, this is a fix for CentOS Stream and Red Hat still doesn't care. They just don't want community contributions.

[–] yarn@sopuli.xyz 21 points 1 year ago (2 children)

CentOS Stream is the staging ground for RHEL. It isn't a bleeding edge distro that can accept any merge request willy-nilly. For the reason why, reread my original comment about the nature of enterprise support.

Fedora is the distro that is more bleeding edge in the RHEL realm. This merge request was more suited for Fedora, and the fix was successfully applied to Fedora. So, I fail to see any irrational actions from Red Hat here.

[–] Flaky@iusearchlinux.fyi 22 points 1 year ago (2 children)

Sounds to me like they messed up the communication between them and the devs. If they directed the PR submitter to Fedora, I think there wouldn't be as much fuel to the fire.

Granted, all the chaos surrounding RHEL does make me a little worried for Fedora. Fedora is not a bad distro by any means, and I don't want to have to not recommend it because of the drama.

[–] Qvest@lemmy.world 5 points 1 year ago

The only thing Red Hat has power over Fedora is its name and infrastructure. Red Hat can't decide for Fedora. Do they have Red Hat employees working for Fedora? Yes, they do, but the employees decide for Fedora, not for Red Hat. Besides, all the telemetry drama is being sorted out in the most open way possible over on Discourse (Fedora Discussion). It is still a 100% community distribution despite a lot of people saying "it is already decided" "Fedora is doomed" etc.

load more comments (1 replies)

[–] Zeth0s@reddthat.com 5 points 1 year ago* (last edited 1 year ago) (1 children)

Why would they accept PR at all if they don't have a robust testing process and approvals are dictated by customers needs?

The message as it is now to potential contributors is that their contribution in not welcome, unless it's free labor that financially benefits only ibm.

Which is fair, but the message itself is a new PR issue for red hat

[–] yarn@sopuli.xyz 5 points 1 year ago (2 children)

They do have a robust testing process, but their main focus at the CentOS Stream stage is more about preparing for the stable RHEL build than it is about adding a ton of new features and bug fixes. Testing takes time so it would be physically impossible for them to test everything if they didn't have a limit on the type of contributions they accept. For bug fixes, their limit is that the bug has to be critical. For bugs lesser than that, the correct place to contribute those fixes is in Fedora.

That has been adequately explained in the merge request at this point, if you click in that link at the top of this thread amd read through it to get the latest info. The Red Hat devs have also made no indication that they're not welcome to contributors. Anyone who's saying that is blowing this merge request issue out of proportion.

load more comments (2 replies)

load more comments (1 replies)

[–] LeFantome@programming.dev 44 points 1 year ago* (last edited 1 year ago) (1 children)

Except that they are not expecting to merge this into RHEL. They are sending it to CentOS Stream.

load more comments (1 replies)

[–] angrymouse@lemmy.world 39 points 1 year ago* (last edited 1 year ago) (7 children)

But it is also another stab in the community, they took centos that was a community project for them, then transformed this project that was downstream to upstream, then called all other downstream distros a negative net worth cause they don't engage in the process of RHEL, then blocked the acess to this distros to the downstream, then reject the work of this ppl they called net negative without a decent process.

What actually red hat wants?

Centos now is only a beta branch? Ppl who wants derive from centos should be fixing everything downstream and duplicate work cause centos now is just an internal beta from red hat? If yes, why they took the project from the community? I'm not a rpm based distros user but I totally understand why ppl are pissed.

load more comments (7 replies)

[–] Marxine@lemmy.ml 20 points 1 year ago

That could have been better communicated though. What you said is reasonable, what Michal said isn't as much.

[–] FlexibleToast@lemmy.world 15 points 1 year ago (1 children)

Fedora is where this sort of thing is supposed to go. That's been Red Hat philosophy since forever. Patch as high upstream as you can. Sounds like this is a non issue.

[–] Zeth0s@reddthat.com 2 points 1 year ago (1 children)

The Apparently is already patch on fedora... Just reporting other comments in this thread. But why do they accept contribution to centos of they don't want patches that are not economically beneficial to the company? It is a pretty bad message written as this

load more comments (1 replies)

load more comments (2 replies)

[–] PhysicsDad@lemmy.world 122 points 1 year ago (10 children)

Wasn't Red Hat just complaining that Alma and Rocky didn't add value because they weren't submitting fixes upstream?

[–] cleric_splash@lemmy.world 80 points 1 year ago

There goes the narrative. Didn't last very long, did it?

[–] gomp@lemmy.ml 28 points 1 year ago (1 children)

Its funny how podcasters and commenters seem to have taken Redhat's spin about "contributing value to the community" seriously, while to the rest of us the whole thing was obviously only about money (same as all the follow-ups from other parties... I would say "including Alma" but that would probably deserve its separate debate).

load more comments (8 replies)

[–] Dirk@lemmy.ml 121 points 1 year ago

"Your code has an issue here's a fix for that".

Corporate: no.

[–] ZombieZookeeper@lemmy.world 51 points 1 year ago (1 children)

2023: The Year of the Assholes

[–] dRLY@lemmy.ml 10 points 1 year ago

Truth! I wasn't shocked that all the social media and entertainment companies all decided to treat the Covid years as if that growth was organic/normal (all retail stores started doing this much faster). As if people were just going to keep having the same amount of time to spend on them. Or in the case of sites like Reddit, they think that they are the creators of content instead of the location to get it. Companies like Red Hat are more jarring and seem like they would've been more realistic.

The next two paragraphs are just a rant about companies and the government not really caring for stability long-run. Feel free to ignore.

Of course people were going to start unsubbing now that they need to focus on actual things needed for just living. Covid has shown that all these greedy folks running (or holding shares) companies in all sectors refuse to just be focused on stability. They act like all the crazy large profits were all because of their "genius innovative ideas and leadership." Of course that was going to happen to all the publicly traded companies, due to their literal legal obligation to always make numbers go up. But shit is beyond a bad way to handle the real material conditions of life. It also doesn't help that the US did a worse job at doing things like monthly stimulus money compared to other places.

A capitalist economy requires that people keep buying both needed and wanted things in order to keep things moving around. But instead of putting money into the hands of people, which would then likely buy more things or even have finally something to save for when things normalized (which would be helpful for making the falloff less dramatic). We barely got two total $2000 payments. Fuck, even just making sure folks could have money to finally get out of various debits would mean people could more easily justify keeping things like Netflix.

[–] lengsel@latte.isnot.coffee 47 points 1 year ago (2 children)

Everyone is going to have to accept that RHEL is over and done. Since paying customers are not allow to release the code publicly, overtime it could turn into its own ooerating system that happens to use the Linux kernel, similar to Android.

Forget about Red Hat, they're gone, they're not an option for any small company. Individuals should never have been using Red Hat, but companies are going to have to find something else like Debian/Devuan, FreeBSD, something with a stable branch that gets 3 to 4 years of updates.

[–] gomp@lemmy.ml 6 points 1 year ago (1 children)

RHEL ultimately comes from Fedora (plus Redhat has a great say in where Fedora is headed), so... RHEL won't become sort of an AIX or HPUX anytime soon.

That said, Redhat's move opens up the position of "enterprise-like distro for scientific/technical shops and other people who do their own support" (think, from CERN to small software houses) that so was the reign of RHEL clones (together with Ubuntu, of course).

Those are people who will probably never buy RHEL licenses for all their machines no matter what, so in a sense it stands to reason that RH doesn't care about them (if you think their move is about money rather than falling for the "value to the community" PR spin), but those same people are also trend setters whose choices, in time, trickle down to universities and then companies, and to me it looks like there's a huge opportunity there (and that Alma is currently in the best position to harvest from it in the long run).

[–] lengsel@latte.isnot.coffee 1 points 1 year ago

Is there a reason that Alma and/or Rocky shouldn't try to release their own version of SLES and SLED?

[+] SpaceCadet@lemmy.world 5 points 1 year ago (1 children)

[deleted]

[–] lengsel@latte.isnot.coffee 1 points 1 year ago (6 children)

That's exactly what's already happened. Rocky and Alma are already no longer an option for a free version of Red Hat since Red Hat code is not allowed to be shared, it can only be viewed. Read their own words from Alma and Rocky, what they themself said about oing forward.

Red Hat can also change the license agreement further to include anyone proven to have published source code of Red Hat branded material agrees to pay a fee to Red Hat of no less than $10 million, or whatever price they want to put on it.

Everyone can scream about Red Hat, all they have to have to do is change some wording in agreement that includes fees(fines) for multi millions of dollars, BOOM! Red Hat becomes a proprietary system built on open source software.

SUSE says they will fork RHEL, but Alma and Rocky are over in terms of being a clone. People have asked for years why there is no free 1 to 1 clone of SLES and SLED. IBM is free to choose to turn all of RHEL in a proprietary development and lock it down, unless you can get a court order that says Red Hate's code must be made public, but I don't dare test IBM lawyers over any code that is not released under AGPLv3, only then I would.

load more comments (6 replies)

[–] dimath@lemmy.pt 43 points 1 year ago (1 children)

It still requires a substantial amount of time to review the fix. Depending on the circumstances it might require more time to review a piece of code than to write it.

[–] Secret300@lemmy.world 41 points 1 year ago (2 children)

Alright, at first I was like okay red hat wants to make money to keep IBM happy. Now I just realize it's not read hat anymore. Fuck that I'm moving to suse

[–] Metallinatus@lemmy.ml 9 points 1 year ago

Red Hat literally became the first ever billionaire FOSS company (iirc), their pre-selling out business model was working perfectly fine.

[–] penguin_ex_machina@lemmy.world 29 points 1 year ago

It's a bold strategy, Cotton. Let's see if it pays off for them.

[–] style99@kbin.social 25 points 1 year ago

Debian posted fixes for this at about the same time this fix was proposed.

[–] AnonTwo@kbin.social 22 points 1 year ago (1 children)

Maybe I just don't get it, but how does this work in any way that doesn't make them liable for some company being exploited by something that they were aware could've been prevented?

[–] dragonfly4933@lemmy.dbzer0.com 4 points 1 year ago

Maybe, but in practice nothing happens. Microsoft has had numerous issues reported to them before, years ago, and the issue reported to them was never fixed or taken seriously. Then years later, the issue is sometimes rediscovered and they find the report from years earlier, and nothing happens.

Until legislation gets passed to force companies to take liability of their software, nothing will change.

[–] LeFantome@programming.dev 14 points 1 year ago

This makes me much more upset than Red Hat asking people to rebase on CentOS Stream.

This is ridiculous.

[–] 30021190@lemmy.cloud.aboutcher.co.uk 13 points 1 year ago

I'm sure on CentOS/RHEL7 this will be irrespectivly classified a CVE score of 7.8 so they don't need do security updates for it.

[–] akash_rawal@lemmy.world 11 points 1 year ago (1 children)

That's too much effort. Just advertise the CVE fix and let a paying customer do the effort.

[–] humanreader@infosec.pub 5 points 1 year ago

Free market at work!

[–] Dirk@lemmy.ml 10 points 1 year ago

"You code has an issue, here is a fix for that issue ready to be used."

Corporate: no.

[–] KindaABigDyl@programming.dev 10 points 1 year ago

wow

[–] andruid@lemmy.ml 2 points 1 year ago

I mean obviously for the community this is bad, but I 100% get that doing anything for free is best effort. They don't even need to have this policy 100% of the time to make large orgs using FOSS with no SLA for vulnerability patching sweat. Which frankly they should.

For real, I'm gonna use this as a tactic to say "we shouldn't rely on software without warranty and support, FOSS or proprietary.". Just to get money flowing to devs, because for it's for real reckless to contribute nothing to keeping pieces of your critical infra secure

load more comments