In a First, AlmaLinux Patches a Security Hole That Remains Unpatched in Upstream RHEL - FOSS Force
Photo : AlmaLinux Day, held on March 18, 2024 in Rust, Germany. Does that mean more Rust in the Linux kernel ? :-)
If anyone’s curious, here’s the RHBZ ticket listing the products RH has patched this in: https://bugzilla.redhat.com/show_bug.cgi?id=2262126
That looks quite weird... RHEL 9.2 was patched in February. RHEL 7 and RHEL 8 have now been patched too, but RHEL 9 (9.3) is still vulnerable?
I think that’s the issue here, but that might just be poor documentation
That's because almalinux is tuxcare, right? They have a long history of offering an alternate support stream for things IBM has grown bored of.
Nice and all, but...
Projects leaching on the work of companies like that, "freeing the code" (which literally just means huge companies will not pay a cent for Linux in the future too) and adding their 2 cents, is not really a big effort.
The same thing with other projects that "became nonfree" and where forked to "stay free".
If a license says "you can use it for free, but need to share profits over x$" it is free software in any way we should be concerned about it.
I think I won't be able to convince you, but one could say RH is leaching on FOSS projects anyway. Well, that's also what FOSS is about. Products people use should be open source, and this extends to business products. (And free as in freedom.)
That would not convince me. First, Red Hat contributes an enormous amount of code and infrastructure to the Open Source world. RHEL ships with a relatively small set of packages and Red Hat is the largest contributor to many of them—certainly many important ones.
More important though is that, for individual projects and code, Red Hat is a regular member of the community. They use code, they contribute code, they distribute all their code for free. When Red Hat creates new projects, they almost always choose the GPL as the license. Their contributions to Open Source projects are available to everyone. They are an unusually staunch Open Source supporter.
When it comes to distributions, Red Hat created the Fedora Project with the express intention of creating a mainstream Linux distro that was explicitly community led and committed to Open Source. The fact that Fedora does not want to ship non-free codecs is an example of the dedication to free software that is by design and part of the Red Hat plan.
Red Hat also runs CentOS Stream which is also Free Software in the licensing sense. CentOS is available to everybody for free. In my mind CentOS is not really a “community” distribution though as its purpose is explicitly to prepare software for selection into RHEL. So, Red Hat is a staunch gatekeeper and the way they manage the project is weighted heavily towards their own interests. It is still completely public and free though. Anybody can do whatever they want with it ( like AlmaLinux does ). This is again, all by design.
Both Fedora and CentOS are explicitly PUBLIC projects. The entire distro, not just the individual projects and packages, is available for free. Red Hat “distributes” these to the world which has particular implications for some of the licenses.
All of the above is 100% Open Source and represents more activity and investment than pretty much any other Linux company. It is an awful lot to ignore by the “Red Hat is proprietary now” crowd. It is a lot for me to ignore when deciding if “leech” is a word applicable to Red Hat.
I am not a Red Hat customer or even user by the way. I used them quite a bit many years ago. I have not used any RPM based distro in quite a while.
Red Hat of course also makes RHEL. RHEL is not a public Linux distribution. Red Hat only “distributes” RHEL to customers. You can be a customer for free ( as in beer ) but you are still a customer and you have to agree to that before Red Hat will distribute anything to you. The reason that I stress this of course is that Red Hat’s legal obligations around RHEL specifically are to their customers and not to the world—not to the public or any self-proclaimed “community” that is not a customer. When I say legal obligations, I am including software licenses which of course includes the GPL.
Red Hat makes 100% of the RHEL code available to their customers of course. This is not just GPL software where they have to but everything, including all the MIT, BSD, and Apache licensed stuff.
There is essentially no software available in RHEL that is not also available in CentOS. There is A LOT more software available in Fedora. People are not interested in RHEL to get access to the software or its capabilities. It is one of the most limited distros as a software library. People that want RHEL specifically want “the distribution”.
What does that mean? RHEL is not just a list of packages. It is a very specific expressions of those packages. It is specific versions. It is specific sets of patches and back ports. It is a substantial body of documentation detailing the behaviour of those specific packages. It is, most importantly, the commitment that Red Hat makes around those packages. Red Hat makes a series of promises. They can do this because of the substantial amount of time and investment they make into testing and profiling those packages—not just individually but as a complete distribution. Perhaps one of the most important promises is that Red Hat promises to maintain and support those packages for many years including timely security updates.
Only a small part of the value of RHEL is “the software”. The software is available from many sources, including in other ways from Red Hat. People wanting RHEL clones want access to all that other stuff that is not software. That is why they have to be “bug-for-bug” clones.
The exact recipe to build each package in RHEL is not meant to be public information. In my view, there is nothing wrong with that.
Can a Red Hat customer distribute the software they get from Red Hat? Yes. The various licenses allow them to do that. They cannot distribute images, logos, docs, and other trademarked stuff of course. But they can distribute the software. They can do that and Red Hat will not stop them ( or at least I am not aware of them ever trying ). Of course, if a customer distributes the exact builds of software they get from Red Hat, Red Hat no longer considers them a customer and will stop distributing FUTURE versions of RHEL to them. Actually, I am not even sure they have done that to anybody. They reserve the right to though. And that, threatening to not distributing their future efforts, is what has upset everybody so much. That is what makes them a leech, or unethical, or evil, or proprietary.
I am not convinced.
Yes for sure and I dont know what I think about that RedHat move. But specifically about redis, (the thing I forgot the name of) and others, I get the feeling they just try to protect themselves against being used for free by megacorps.
one could say RH is leaching on FOSS projects anyway
Not "one could say", that's exactly how it is.
Red Hat is standing on the shoulders of thousands of FOSS projects, and all that is asked in return is that they should allow others to stand on their shoulders too.
Projects leaching on the work of companies like that, "freeing the code".
You mean it the other way, right? Because these companies you defend use the free labor of voluntary developers from the community, which spend hours and hours developing features, fixing bugs and what not, directly or indirectly. That's how open source works.
When these companies change the project license to a closed source one, they're basically saying a big "f*** you" to the community. Forking the latest open source version of the repository is nothing more than an effort to keep things the way they were.
huge companies will not pay a cent for Linux in the future
Linux is FOSS, you can do whatever you want with it as long as you redistribute it without modifying the license. Android does that; every GNU/Linux distribution does that. That's how it works.
if a license says "you can use it for free, but need to share profits over x$"
What you're describing is "freeware", what this post is discussing is " open source software". There's a giant gap between the two.
Then by that logic, redhat is leeching off the work of the Linux kernel developers and the other Foss software in redhat
They offer support for it and contribute a lot to all those projects. But I was mainly focused on projects restricting their license, RHEL is a complicated topic.
Dafuq you talking about, son? RedHat isn't selling FOSS as a product. They are essentially selling enterprise support for a specific collection of packages that are rolled into a Linux Distribution the distribute themselves, and is then backed with a slew of SLA and SLO contracts that back it. On top of that, their own tooling which they do open source is included with thos things. Why do you think Alma exists at all?
They do sell the specific collection, and even more so updates, as a product and restrict redistribution of that product by their customers.
They do their upstream development in the open which is not required but mighty nice of them.
Companies like Redhat are a small price to pay for open source software to exist under capitalism. Would I prefer copyleft software not involve any money at all? Sure. But that's not realistic when Linux is this big and complex. Big companies fund a lot of Linux' development but we get free copy left use of it and that's a good compromise for me.
The reason this is a first is because AlmaLinux recently decided to stop being a bug for bug clone of RHEL. Good for them. As this shows, they are now actually free to add value.
Rocky Linux cannot ship this patch unless RHEL does. Rocky cannot contribute anything by definition.
Well Rocky can contribute, but they’d have to send their patch to CentOS stream and hope it gets merged, then wait for Red Hat to implement the changes. So it’s more roundabout and ultimately is dependent on Red Hat