Red Hat continues its rather impressive string of decisions that have angered the Linux community, this time by passing on a security fix contributed by an AlmaLinux dev.
Red Hat made itself the target of widespread scorn in the Linux community when it announced the source code for Red Hat Enterprise Linux (RHEL) would be placed behind a paywall, only accessible to customers. What’s more, the company’s user agreement specifically forbids sharing RHEL code, something that is widely seen as a violation of the GPL, at least in spirit and possibly in letter.
The move was seen by the community as a way to kill off Rocky Linux, AlmaLinux, and Oracle Linux, all of which were downstream distros that offered 1:1 compatibility with RHEL. In addition to the Linux community, both SUSE and Oracle condemned Red Hat’s actions.
Interestingly, part of the justification Red Hat used for its decision was to imply that Rocky Linux, AlmaLinux, and Oracle Linux did not contribute upstream and were simply benefiting from all the work Red Hat was doing. The company also made clear that those wanting to contribute should do so via the CentOS Stream project — CentOS being another downstream RHEL-compatible distro that was acquired by Red Hat and moved upstream of RHEL.
Interestingly, AlmaLinux developer Jonathan Wright did exactly what Red Hat said and contributed a CVE fix to CentOS Stream. The fix in question addresses a vulnerability that is rated “Severe” by other distros.
Read More: SUSE Spending $10 Million to Fork RHEL, ‘Preserve Choice In Enterprise Linux’
In response to Wright’s contribution, Red Hat developer Michael Ruprich had the following response:
Thanks for the contribution. At this time we don’t plan to address this in RHEL but we will keep it open for evaluation based on customer feedback.
Mike McGrath, the Red Hat VP who initially revealed the RHEL change and penned a followup blog post, weighed in as well:
We should probably create a “what to expect when you’re submitting” doc. Getting the code written is only the first step in what Red Hat does with it. We’d have to make sure there aren’t regressions, QA, etc. QA in particular is going to be unpredictable because we may decide not to take a MR simply because the team doesn’t have the ability to test it (or add docs, or whatever). So thank you for the contribution, it looks like the Fedora side of it is going well so it’ll end up in RHEL at some point 😄
Needless to say, Red Hat’s response to Wright’s fix is not going over well. Some users are questioning why it takes “customer feedback” to get a security issue fixed, especially one that other distros have rated “Severe.”
Jeff Geerling, a well-known open source developer who has been a vocal critic of Red Hat’s actions, highlighted the irony of the company’s decision not to include Wright’s fix:
Red Hat: Rebuilders contribute n̶o̶ ̶v̶a̶l̶u̶e̶ negative net value to RHEL. Contribute to CentOS Stream instead!
Rebuilder AlmaLinux: okay we’ll build off CentOS Stream. [Proceeds to submit patch to Fedora + Stream for a CVE against iperf3]
Red Hat: No, not like that!
Red Hat already has a well-earned reputation for going back on its word repeatedly in the Linux community, and its recent RHEL decision has led to a huge loss of trust, and this latest incident will only add to that.
It is hard to fathom how the company keeps managing to step in it over and over again.