Apologies in advance, lengthy post coming up, full of assumptions. Perhaps all of this has been discussed already; in that case, apologies (again).
After reading the news (and admittedly panicking a little) I immediately started to investigate how to get Debian up and running with SELinux, particularly for Podman, K3s, K8s. Turned out that the refpolicy wasn’t up to spec compared to the fedora-selinux + container-selinux packages.
Mentioning my panic in various places after reading various news sources, I was sent this link by Daniel J Walsh (SELinux and Containers (podman, buildah etc) engineer at Red Hat) which got me thinking…
If I understand the various Red Hatters commenting on the whole affair correctly (and I may very well be wrong and may have missed key issues), their stance is:
(0. They want to combat other outfits from profiting from their work and investment into the product. Which they worded in a way that dare I say was a tad hostile and one-dimensional.
-
The reason CentOS Stream is not suitable for production is not so much about code quality as it as about packaging and delivery. The claim is that anything in Stream has already passed all the testing and other stringent requirements, it is the rolling release element that makes it unsuitable for production.
-
Due to the delay in RHEL patches making it to downstream distributions, they argue that no downstream distribution is truly ‘bug-for-bug’ compatible with RHEL.
-
They take the view that downstream distributions give nothing back.
My proverbial 2 cents:
- When looking at Oracle Unbreakable Linux, that is fair. They essentially make money for support that should be going to RH, not other commercial entities.
When looking at true community supported distributions (i.e. Almalinux, Rocky Linux) it is more complicated I reckon. When small startups and businesses who do not have thousands of dollars to spend on subscriptions use a community distro, that is fair – pay when you can, but not necessarily from day 1. When large companies run hundreds of servers and thousands of containers are using a community distribution, it’s not quite the same. Surely, there should be some way for them to contribute (in a measurable way) in that case, either financially or developmentally.
-
Having thoroughly ignored CentOS Stream when it was announced and switching to Almalinux when first possible, I was unaware of that. That does open up some perspective and opportunities, I would think.
-
Fair point, but not as relevant for small, obscure organisations using a community distribution at small scale.
-
A bit of a one-sided viewpoint, I believe. There must be plenty of users submitting bug reports as well as providing upstream assistance. Even though some outfits are seeking monetary gain (which is indeed unfortunate for RH), there is also the whole community ecosystem to consider. A large part of it now very unhappy and likely to jump ship, with a lot of potentially hazardous consequences for both RH and the FOSS community at large.
The ‘solution’ some Red Hatters seem to be pointing at is to change the nature of distributions based on RHEL. Rather than being a (delayed) downstream edition, they suggest syncing up with day 1 of a CentOS Stream release. (at which point it should be in sync with RHEL).
Teams could then test and package updates in a more production friendly way than the CentOS Stream default way. This would result in a mostly compatible RHEL derivative, albeit with half the life-cycle, which for many users would be ‘good enough’ (i.e. a container host for web hosting, LAN services and other basic things). They’d at least have a solid foundation to build an infrastructure with. This would, of course, increase the workload for teams such as Almalinux and Rocky Linux considerably.
They say that the updates and patches in Stream have already gone through rigorous testing and thus are of high quality, the problem not being one of content, but of packaging and delivery. If I understand all that correctly, it would be akin to Ubuntu LTS being a derivative of Debian Testing. If adopted, this would also open up opportunities for potential feature updates being pushed from the derivative to either Stream or Fedora.
While that isn’t what many people and organisations would want to consider (larger ones in particular), it would be a long-term path forward for smaller outfits.
Would it not be worth discussing if it were feasible to make an Almalinux CE next to regular Almalinux? Provided enough volunteers and funding could be obtained, of course. Supporting AlmaLinux 8 and 9 for as long as feasible, while offering an AlmaLinux CE on the side for future migration, testing and early adoption for smaller and more nimble outfits, I mean.