When Red Hat announced that the source code of Red Hat Enterprise Linux (RHEL) will no longer be easily availablehow does it change? copy RHEL alike AlmaLinux, OracleLinuxAnd stone Linux create their distributions. While Oracle and Rocky plan to fight, AlmaLinux has chosen a more peaceful course. That didn’t work out as expected.
AlmaLinux has stopped trying to make the source code 100% compatible with RHEL. Instead, The developers of the AlmaLinux operating system decided to be compatible with the Application Binary Interface (ABI). For most practical uses, that’s more than enough.
Also: Elive 3.8.34: Something beautiful that any classic Linux user would love
Therefore, the AlmaLinux Board of Directors voted unanimously to “keep moving towards create a long-term, enterprise-grade, aligned, and ABI-compatible Linux distribution with RHEL to meet the needs of our community, to the extent possible, so that software running on RHEL will run similarly on AlmaLinux.”
As AlmaLinux president benny Vasquez explained, the exact goal is “ABI compatibility [which] in our case that means working to ensure that applications built to run on RHEL (or copies of RHEL) can run without problems on AlmaLinux. This tuning to expectations removes our need to ensure that everything we release is an exact copy of the source code that you would get with RHEL.”
To do that, AlmaLinux will use CentOS . Stream Source code. In return, Vasquez added: “We will continue to contribute upstream in Fedora and CentOS Stream and to the larger Enterprise Linux ecosystem, just as we have since our inception, and we invite our community to do the same!”
Also: Linux Mint 21.2: Your New and Improved Linux Desktop for the Next Three Years
Officially, Red Hat has nothing to say. However, Red Hatters told me that this is exactly “the approach we’ve suggested that RHEL-like distributions take – working with the broader community in CentOS Stream.”
So what is the problem? Good, The server already knows CTO and AlmaLinux Infrastructure Lead Jonathan Wright recently posted a fix for CentOS Streams for CVE-2023-38403, memory overflow in iperf3. iperf3 is a popular open source network performance test. This security hole is an important one, but not a big deal. However, it is much better to fix it than to let it live and it is eventually used to crash the server.
That’s what I and the others feel anyway. But then a senior Red Hat software engineer replied, “Thanks for the contribution. Now, we don’t plan to solve this in RHELbut we will continue to be open to reviews based on customer feedback.”
That went over like a lead ball.
Also: The best Linux laptop
The GitLab conversation that went on:
AlmaLinux: “Is the client request really necessary to fix the CVE?”
Red Hat: “We are committed to addressing the Critical and Dangerous security issues identified by Red Hat. Vulnerabilities of Low or Medium severity will be addressed upon request upon request. [a] customer or other business requirements exist to do so.”
AlmaLinux: “I can even understand that, but why refuse to fix it when the work is done and just needs to be merged?”
At this point, Mike McGrath, Red Hat’s Vice President of Core Platforms, or RHEL, stepped in. “Maybe we should create a ‘what happens when you submit’ document. Coding is just the first step in what Red Hat does with it. We have to make sure there are no regressions, QA, etc. So thanks for the input, it looks like the Fedora side is going well, so it should end up in RHEL at some point,” he explained.
Things went downhill quickly from there.
Also: Linux has more than 3% of the desktop market? It’s more complicated than that
One user wrote, “You want your customer’s need? This is the customer’s need. FIX IT, otherwise I will NEVER touch RHEL.” While another, growled, “Red Hat: We’re all commercial because Alma never pushes fixes upstream! Also, Red Hat: We don’t want your fixes, Alma!”
On Reddit, McGrath said, “I have to admit we had a great opportunity to gesture of goodwill towards Alma here and fumbling.”
In the end, though The Red Hat Product Security Team rated CVE as “‘Important’ patch has been merged.
So the immediate problem has been fixed. However, the bad feeling was left behind. As Wright wrote, “The worst thing for me is to feel that I wasted my time sending PR [Pull Request] here.” That’s the final reaction you want from developers in the open source community.
Looking ahead, however, Vasquez is optimistic. In an interview, she said, “This is uncharted territory for all of us, and they seem willing to make things better. If we go back to our real goal (improvement of the ecosystem for people), then this interaction is a learning opportunity for everyone. They have processes and practices for getting content from. SIG [CentOS Stream Special Interest Groups] yes, but I hope they will be better off accepting PRs outside of SIG.”
We shall see.
