/cdn.vox-cdn.com/uploads/chorus_asset/file/24016885/STK093_Google_04.jpg)
/cdn.vox-cdn.com/uploads/chorus_asset/file/24808816/Starfield__The_Settled_Systems___Supra_Et_Ultra_____Starfield__The_Settled_Systems___Supra_Et_Ultra_2023_7_25_94252.263_1440p_streamshot.png)
When Red Hat announced that the source code for Red Hat Enterprise Linux (RHEL) would no longer be readily available, it changed the way RHEL clones were made. almalinux, oracle linuxAnd Rocky Linux Build their distros. While Oracle and Rocky plan to fight, Almalinx chooses a more peaceful route. It did not work as well as had been expected.
AlmaLinux has stopped attempting to be 100% source code compatible with RHEL. instead of this, The Almalinux OS developers decided to be Application Binary Interface (ABI) compatible. For almost all practical use purposes, this is more than sufficient.
Too: Alive 3.8.34: A thing of beauty any old-school Linux user will love
Therefore, the Almalinx board voted unanimously to “continue target” Build an enterprise-grade, long-lasting distribution of Linux that is aligned and ABI compatible with RHEL In response to the needs of our community, this has been done to the extent possible, such that software that runs on RHEL will also run on Almalinux.”
As Almalinux chairperson Benny Vasquez explained, the exact goal is “ABI compatibility (which in our case) is to work to ensure that applications built to run on RHEL (or RHEL clones) can run on Almalinux without issue. Adjusting this expectation takes away our need to make sure everything we release is an exact copy of the source code you’ll find with RHEL.”
To do this, AlmaLinux will use centos stream source code. In turn, Vasquez said, “We will continue to contribute upstream to the Fedora and CentOS streams and the larger enterprise Linux ecosystem, as we have been doing since our inception, and we invite our community to do the same!”
Too: Linux Mint 21.2: Your new and improved Linux desktop for the next three years
Officially, Red Hat had nothing to say. But, I’m told by Red Hatters that this is exactly “the approach we recommend for RHEL-like distributions – working with the wider community in the CentOS stream.”
So what’s the problem? Well, known host CTO and Almalinux Infrastructure Team Leader Jonathan Wright recently posted a CentOS Stream fix CVE-2023-38403, a memory overflow problem in iperf3, iperf3 is a popular open-source network performance test. This security hole is a significant one, but not a major problem. Still, it’s better to fix it than to leave it lying around and see it eventually get used to crash a server.
That’s what I and others have felt anyway. But, then, a senior Red Hat software engineer replied, “Thank you for your contribution. At this time, We do not plan to address this in RHELBut we will keep it open for evaluation based on customer feedback.”
He went up like a lead balloon.
Too: best linux laptop
The GitLab conversation went on:
Almalinux: “Is customer demand really necessary to fix CVEs?”
Red Hat: “We are committed to addressing critical and critical security issues as defined by Red Hat. Security vulnerabilities of low or medium severity will be addressed on demand when (a) customer or other business requirements exist.”
almalinux: “I can understand that too, but why reject improvements when the work is already done and all you have to do is merge?”
At this point, Mike McGrath, Red Hat’s VP of Core Platforms, aka RHEL, stepped in. He explained, “We probably have a ‘what to expect when you’re submitting a ‘doc’. Writing the code. Writing is only the first step in what Red Hat does with it.”
Things quickly went downhill from there.
Too: Linux has more than 3% of the desktop market? it’s more complicated than that
One user wrote, “You want a customer demand? Here’s a customer demand. Fix it, or I’ll never touch RHEL again.” while another quipped, “Red Hat: We’re being downright commercial because Alma never pushes reforms upwards! Also, Red Hat: we don’t want your reforms, Alma!”
McGrath said on Reddit, “I will admit we had a great opportunity Here Alma made a gesture of goodwill and staggered.,
eventually, though The Red Hat Product Security Team rated the CVE as “‘critical'”. The patch was merged.
So, the immediate problem has been resolved. Still, bad feelings are left behind. As Wright wrote, “The worst part of it for me is to feel I also wasted my time by submitting a PR (Pull Request) Here.” That’s the last response you want from developers in the open-source community.
However, looking ahead, Vasquez is optimistic. In an interview, he said, “This is uncharted territory for all of us, and they seem keen to improve things. If we go back to our real goal (to improve the ecosystem for all), this conversation is a learning opportunity for everyone. They have processes and practices to get things done.” SIG (CentOS Streams Special Interest Group) Already, but I hope they get better about accepting PRs outside of SIG.”
we will see.
