I want to be clear on my bias here: I firmly believe that open source would not be a ‘thing’ if it weren’t for Red Hat. Linus Torvalds himself once said (albeit 10 years ago) that the shares he received from Red Hat before their IPO was ‘his only big Linux payout’. I don’t think anyone would disagree with the statement that Red Hat has had a major significant positive impact on Open Source across the world.
This morning I listened to an excellent podcast called “Ask Noah” where he interviewed Red Hat’s Mike McGrath who has been active on the linux subreddit and other social media. It seems that Mike has been involved in the decision to restrict Red Hat’s sources on git.centos.org:
https://podcast.asknoahshow.com/343 (listen at ~20 mins)
It’s really worth a listen. Mike clearly lays out the work that Red Hat (I was surprised to find out that it is NOT the Rebuilders) does to debrand the Red Hat sources, why they’re pulling that back on those unbranded sources, and that they understand the ramifications of doing so. It’s also interesting that Mike is of the opinion that there is nothing wrong with doing a Rebuild, and he defends them by stating “that’s the cost of doing business”. Noah and Mike go into many of the nuances of the decision and again, it’s really worth listening to. Mike also talks about “bad faith” when dealing with the Rebuilders at 40:30, which I think explains Red Hat’s decision. I got the distinct feeling he’s bound by some ethical code so he won’t/can’t say too much though.
There’s also this discussion about Rocky Linux securing a contract with NASA:
https://news.ycombinator.com/item?id=36417968
that had a lot of internal discussion at my company this week, which given what’s just happened may shed some more light on Red Hat’s decision.
There are always two sides to every story but in this case there are three sides to this story.
On one side, you have Red Hat, a long time champion of open source software, that has poured billions of dollars into open source development, and which has 1000s of employees who not only on ‘company’ time but in their own time manage, develop, contribute, and create open source code. They have funded countless successful and unsuccessful projects that we all use.
Against Red Hat are two largely distinct groups. The first is the Rebuilders themselves, who Red Hat has claimed ‘don’t offer anything of value back to the community’. This is not meant to be a statement on the usefulness of the rebuilds (Rocky, Alma, Oracle, etc.) but rather a very directed statement on whether or not the rebuilders are providing bug report, feedback, and contributions to the packages that Red Hat has included in RHEL.
The second group, which stands somewhat behind the Rebuilders, are the Rebuild users. One could argue that the users are caught in the middle of Red Hat and the Rebuilders, however, I think it is better to look at them as being an equal ‘side’ in this discussion.
The Rebuild users are in a very unfortunate position: they’re about to lose access to a free product that they’ve come to depend on. They are, as expected, unhappy about Red Hat’s decision to stop providing access to RHEL sources. My next statement is callous, and I expect it to be read as such: You get what you paid for. That is not meant to indicate anyone is cheap, it’s just that you shouldn’t have expectations when you are using something for free.
Here’s the interesting part for me. As far as I can see, none of the users are jumping to the Rebuilder’s defence of Red Hat’s accusation that the Rebuilders provide nothing back to the community. And, as far as I can tell across various social media and news platforms’ comments sections, largely the user community AGREES with Red Hat’s position. Informed users – not all users – are using a RHEL Rebuild knowing that there is no benefit in doing so for the community.
I have yet to read a reply from the Rebuilders where they categorically deny that this is the case. And to me, that’s glaring and damning of the Rebuilders’ position. Even the ‘defenders’ (for lack of a better word) of the Rebuilders have yet to provide a response.
deleted by creator
On one side, you have Red Hat, a long time champion of open source software, that has poured billions of dollars into open source development, and which has 1000s of employees who not only on ‘company’ time but in their own time manage, develop, contribute, and create open source code. They have funded countless successful and unsuccessful projects that we all use.
As far as I’m concerned, this is simply not relevant to the issue at hand. Yes, Red Hat has made many, many contributions to open source over the years. That is beyond question, and I thank them for it. It does nothing to excuse their current behavior though. All of those contributions were freely made under the GPL. Red Hat cannot retroactively say “well, we’ve made enough contributions that we think these shouldn’t be free any more, please pay us money.” Under the GPL there is literally no threshold where that is allowed.
Red Hat knows this of course, so instead they’re putting the source behind a click-through license agreement. In order to access their source trees you now have to agree to their license, which states that you’re not allowed to redistribute what you’ve been given. Of course the GPL also has language specifically designed to prevent such attempts. There’s a “further restrictions” clause that allows those receiving GPL source code to remove any further restrictions that weren’t in the GPL originally. That would allow Red Hat’s customer to legally redistribute that source code, as was always intended under the GPL.
But Red Hat lawyers know this too! They know that their customers have the legal right to strip off the extra restrictions imposed by that click-through license wrapper. So how then do they enforce this restriction? With threats and coercion. “Forgo your GPL rights, or we’ll stop supporting the software we sold you / deny you any further access.” What amount of past open source contributions make it OK for Red Hat to threaten their customers in an effort to prevent them from exercising their rights under the GPL? I say there is no amount of past contribution that makes Red Hat’s current behavior acceptable, just like there’s no amount of past contribution that would make it OK for them to close the source entirely.
Here’s the interesting part for me. As far as I can see, none of the users are jumping to the Rebuilder’s defence of Red Hat’s accusation that the Rebuilders provide nothing back to the community.
I’ll be happy to do so. At least some of the users of downstream distros are using them so they can validate the compatibility of their code with RHEL, without having to subject themselves to Red Hat’s licensing terms. Jeff Geerling is one such example. They are (or in some case were) providing direct value to Red Hat’s customer, and thus indirect value to Red Hat themselves, by validating that their own contributions would work in RHEL. Red Hat’s choices make their efforts harder, and call into question whether FOSS contributors should continue to make efforts that indirectly benefit Red Hat.
Personally, the company I work for has been using CentOS for many years because Red Hat wanted to place onerous licensing restrictions on any use of RHEL in the cloud, which is where most of our testing is done. To be clear, my company doesn’t use RHEL internally on its own production systems, nor do we redistribute it in the products we sell. The only reason we care about testing against RHEL is because many of our customers use RHEL on their production systems. Our only motivation is to make sure that our products work correctly when they interoperate with RHEL systems at our customer sites. Are we “taking” from Red Hat by doing this? I say the opposite. Our customers benefit directly, and Red Hat benefits indirectly when such mutual customers can do more and better things with their RHEL systems.
And let me tell you, Red Hat has not been fun to work with. We’re a member of their partner network, we’re doing this testing so we can help our mutual customers do the things they want to do, and Red Hat has been a pain in our ass at many turns. Their awful account management makes it harder to onboard new employees and get them set up for testing on RHEL. Red Hat threw licensing curveballs at us like “oh btw cloud usage is no longer covered under the partner license, move all your testing on-prem in 30 days or pay us $texas, kthxbye!” (We scrambled and switched to CentOS in the cloud in record time instead.) They subject us to annoying, time-consuming audits. CentOS for testing is a breeze by comparison, with no need to worry about accounts or audits or subscriptions or entitlement usage.
That would allow Red Hat’s customer to legally redistribute that source code, as was always intended under the GPL.
I don’t think it is that simple. You (and seemingly everyone else) seems to be ignoring the fact that the source package is not just GPLed software. Not all packages are under GPL but even the ones that are consist of the GPL application code and the spec file used to build the source. This spec file (and related package files not from the original application) don’t need to be under the same license as I do not think it counts as derivative work - it is not linked into the final binary at all.
I do not know what license the packaging code is under. I don’t think I have ever seen anyone put a license on packaging scripts like this. But there is an argument that Redhat own and can control the distribution of these packages even if they cannot control the redistribution of all the contents of the package.
Not a lawyer so I don’t really know how these interplay, but to me it seems that they have some grounds to do what they did. Even if I disagree with their actions are the right move for them to make.
You (and seemingly everyone else) seems to be ignoring the fact that the source package is not just GPLed software. Not all packages are under GPL but even the ones that are consist of the GPL application code and the spec file used to build the source. This spec file (and related package files not from the original application) don’t need to be under the same license as I do not think it counts as derivative work - it is not linked into the final binary at all.
I downloaded a GPL’d source RPM (
glibc
) out of curiosity and extracted it, and there’s not much licensing information to be gleaned there. The only license I could find in the package is the GPL itself. Aside from the source code, the package contains a whole bunch of .patch files, the spec file, and a few other scripts. With no copyright header on the script files and no other license files, it’s not clear what license they’re held under. I would expect the GPL as well, based on that, but who know. As for derived works, let’s see what the GPL has to say about those (I know there are other licenses, but I’ll stick to this one for now):These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works.
So whether a spec file can be held under a separate license from the GPL depends on whether it “can be reasonably considered (an) independent and separate work.” Does the spec file have value in isolation? To me it would seem like it wouldn’t, it can only provide useful functionality when combined with the GPL’d source code. To my mind that would make any packaging specifics derivative work under the terms of the license. Also, the spec file is not distributed “as (a) separate work”, you download it with the GPL’d source code as an atomic unit. That to me would be another point in favour of considering the spec file a derived work.
Not a lawyer so I don’t really know how these interplay, but to me it seems that they have some grounds to do what they did. Even if I disagree with their actions are the right move for them to make.
I’m not lawyer either of course, and I regret not saying as much in the original post. Whether Red Hat can legally do what they’re doing… no one can actually say with certainty. We’ll only find opinions of varying degrees of quality, but we won’t have any certainty on the subject unless and until there’s a court case that sets a precedent. Personally though, I am 100% convinced that what they’re doing is morally wrong, no matter what the letter of the law says.
With no copyright header on the script files and no other license files, it’s not clear what license they’re held under. I would expect the GPL as well, based on that, but who know.
Yeah, it is not clear. But if there is no obvious license and the GPL does not extend to it then the assumption is that it is unlicensed. But I suspect RedHat have things in their main license to cover this? I am not going to go through reading all that to find out though (I don’t have that much skin in this game TBH). But if not the default is unlicensed, not the GPL. Which turns the main argument into:
So whether a spec file can be held under a separate license from the GPL depends on whether it “can be reasonably considered (an) independent and separate work.”
Does the spec file have value in isolation?
I don’t think that is a good yard stick here. If a GPL program produces a document file that can only be used by that program does not force that file to be under the GPL. Or else no one would ever be able to create any creative works under GPL software and that would be a dangerous precedence to set. Or hell, any linux binary that needs the linux kernel to run would come under the GPL as well. Since they don’t have value in isolation since you cannot run them without the kernel.
Also, the spec file is not distributed “as (a) separate work”, you download it with the GPL’d source code as an atomic unit.
The license does cover this and explicitly calls out that just packaging something with GPL software does not mean the GPL applies to that packaged code:
A compilation of a covered work with other separate and independent works, which are not by their nature extensions of the covered work, and which are not combined with it such as to form a larger program, in or on a volume of a storage or distribution medium, is called an “aggregate” if the compilation and its resulting copyright are not used to limit the access or legal rights of the compilation’s users beyond what the individual works permit. Inclusion of a covered work in an aggregate does not cause this License to apply to the other parts of the aggregate.
So, it comes down to what is counted as an extension. And TBH could be argued either way. What about package formats like the Arch Linux packages? They don’t include the source, just links to download it but can include patches to modify them. Or what if you have a CI/CD system that builds a GPL licensed work is that now covered by the GPL?
Fundamentally all of these are doing the same job - building some GPLed software. Where is the line drawn on extensions to the covered work?
Personally I don’t really know - I am not a lawyer and this will likely only be something decided by a court. I can see argument both ways so I don’t think the assumption that RedHat are doing anything legally wrong here is correct. We just don’t know ATM (at least I and I bet most people here).
Personally though, I am 100% convinced that what they’re doing is morally wrong, no matter what the letter of the law says.
This 100%. I do think what they are doing is morally wrong. Though, maybe for different reasons. I hate that companies can rug pull things their customers have enjoyed, and come to rely on for such a long time. Suddenly pulling support for something without notice or any form of compensation is something that happens far too much these days and IMO should not be allowed.
But if they had restricted it in the first place and no one ever built things on top of it in the first place - I am not 100% convinced that is as morally wrong.
I hate that companies can rug pull things their customers have enjoyed, and come to rely on for such a long time.
Yeah, that’s probably part of why I feel so strongly about this. I relied on CentOS in my dev/test pipeline for years, so I’m effectively one of the individuals that was rug-pulled. Will Red Hat now try to squeeze us for license revenue again, at a time when sales are tight and cost controls are even tighter? Will I need to rework my dev/test pipeline to use AlmaLinux or RockyLinux, and maybe rework it again if Red Hat’s restrictions end up making those not a 1-for-1 replacement for RHEL testing? The uncertainty is unwelcome.
But if they had restricted it in the first place and no one ever built things on top of it in the first place - I am not 100% convinced that is as morally wrong.
Possibly not, though I have to wonder whether Red Hat would still enjoy their current market position if they hadn’t been allowing this to begin with. That others could easily build on top of what they built is part of what made RHEL probably the dominate enterprise Linux distro on the market today. It’s the one I see installed most often at customer sites at any rate.
I’m not sure this maps 1-to-1, but it feels like Red Hat might end up enshittifying their own OS in an effort to extract more revenue from it. Doing so could easily backfire on them. Any restrictions they add to generate more revenue also add friction for third-party developers looking to interoperate with the OS. Some of them may choose to stop directly supporting RHEL as a result. Too much of a pain, let some RHEL customer take care of that. But most Red Hat customers are paying for RHEL because they don’t want to do those sorts of things. They want to install the OS, install the software they need, and get on with whatever their core business happens to be. Over time, this could corrode the value of RHEL itself.
Possibly not, though I have to wonder whether Red Hat would still enjoy their current market position if they hadn’t been allowing this to begin with. That others could easily build on top of what they built is part of what made RHEL probably the dominate enterprise Linux distro on the market today. It’s the one I see installed most often at customer sites at any rate.
I do not think they would have grown as much without being so open to start with. But that does not change the moral implications if they had been closed to begin with. In fact I think the opposite, it feels much worst what they are doing because they used the openness to grow so much and gain market share. But then once they are dominate in the enterprise space they try to pull back control and restrict what people can do. It feels like being used to gain popularity and favour only to be betrayed for a bit more money in the short term.
I’m not sure this maps 1-to-1, but it feels like Red Hat might end up enshittifying their own OS in an effort to extract more revenue from it.
Yes, I believe they will/are doing this. Seems to be an inevitable thing for profit driven companies to do. We are seeing so many companies doing this in recent time.
I have one major quibble with your analysis. It is this: Redhat no longer exists as an organization. Redhat is merely a trademark of IBM. You can’t defend IBM’s actions based on Redhat’s history. That was a different company
One other thing I want to add: I’ve read a bunch of comments about how the Rebuilds were used in educational and scientific settings, and that there is a prohibitive cost for RHEL in those environments. After reading so many comments about it, I have to believe that Red Hat is going to make some modification to their Developer License program to allow more than 16 ‘seats’ for those use cases.
Yes, from what I’ve heard they are raising to just over 200 (iirc there was already an agreement for this but the caveat being the type of services the systems ran) which still doesn’t cover many educational and academic research scenarios. We’d only be covered about 30% and we operate a comparatively small environment.
I don’t have any expectations of them doing this (but I also have no expectations to the contrary), but I think it would be a good move from Red Hat to make the official RHEL more available, as you suggest.
In another thread I compared the RHEL rebuilds to piracy, and in that vein one could quote Gabe Newell and say that piracy is a service problem – part of the reason Alma/Rocky/etc. exist is because there is a group of users who want to use RHEL but cannot afford it. Red Hat seems to believe that these users should be satisfied with CentOS Stream, and maybe most of them would be, if they only gave it a try. But making RHEL more widely accessible, both to paying users and developers, would probably be good too.
Accusation that the Rebuilders provide nothing back to the community.
Actually, what Redhat are saying about rebuilders is that they “don’t add value” - and that’s for Redhat, NOT to the community which they patently do. That’s quite a badly twisted misquote there, friend.
Also, Redhat didn’t create open source software. They’re a big player, sure, but I remember writing and releasing my code back in the 80s and 90s when it was called Freeware and Public Domain and distributed on cassette tape.
First off your argument that red hat deserves to see returns on their investment. But restricting redistribution of “their” software is a direct violation of the GPL license that they agreed to by working with GPL software.
Not to mention that the reason rocky Linux exist is because red hat killed centos.
Ree Hat has stabbed the community in the twice with the help of IBM and greed. My only hope is Oracle sues them over this express GPL violation, or that IBM’s lawyers realize there will be trouble. In my opinion anyone at red hat that tries to justify this should be ignored.
What’s the harm in doing a rebuild? Serious question. I simply don’t understand where the harm comes from. I would appreciate any insight. Thanks.
I don’t think there is anyone arguing that a Rebuild by itself is a problem. Given Mike’s comments in the podcast linked above, the problem Red Hat has is when one of those (or many of those) competed directly against Red Hat for a contract.
From the general feeling I get from reading many threads on this issue, the general consensus is that the community agrees that, specifically, this behavior by the Rebuilders is wrong.
Oh, I see. But what do you think of this translation:
“Company Foo makes TVs and is always working to make them better. They give them out for free with the hopes of making money installing them and providing guidance on how to use them, but someone starts Company Bar and installs them for cheaper and starts taking on installation jobs.”
Is this wrong? Isn’t this just the definition of an open market? Please let me know if I’m missing some kind of context. I hope that we can continue to discuss this respectfully.
I should say that I want any open source project with the motivation to write good software to have all of the funding they need to make that happen. I just don’t see how it can be justified in this instance when compared to any other market.
There is no problem with your scenario, and it’s spot on to the issue that Red Hat has raised.
However, the piece you’re missing is that the TVs come from Foo. They don’t have to give company Bar TVs to install. If company Bar doesn’t have TVs then what should they do? They have some choices: work with Foo or develop their own TV.
I don’t see how Company Foo can dictate that all other entities (customers, for example) can receive a free TV on their doorstep (since the code is open source) except for Company Bar. To make it map better to the situation, Company Bar would receive a shipment of free TVs, rebrand them, ship them out to customers, and install them.
“They don’t have to give Company Bar TVs to install.” So the GPL doesn’t require that Company Foo permit free access to the TVs? They could decide to not give out their TVs to anyone?
Also, what if I wanted to get my cousin a free TV but charge him a few bucks to install it? Is this only a problem at scale?
Here’s where your analogy falls apart. The TV isn’t being shipped to everyone. It’s being shipped (“rebuilt”) by Bar, and then installed by them. They’re free to do that but Foo is under no obligation to help them do it.
Within the analogy (as it compares to Redhat and the Rebuilders), how is Foo helping Bar? Isn’t Foo simply leaving the TVs outside the factory for people to come and pickup? A bunch of trucks branded “Bar” come by, pick some of them up, rebrand them, and take jobs to install them, jobs that Foo thought they were going to get? Isn’t Foo now requiring individual people to walk through a lockable door, sign their name, verify that they don’t work for Bar, and grab a TV instead of just leaving them outside in a pile?
Yes, that kind of makes sense, but Foo was leaving the TVs outside because they thought that was the most expedient thing to do. It takes effort to move them outside, and Foo doesn’t want to do that anymore. So now Foo, as you point out, has moved the TVs inside where only paying customers can get them.
It seems that he is bother by how they rebuild it and then do not add or contribute any code and then sell support to the customer on REHL work which in my opinion its not okay and I will agree with RedHat.
Nice post, and a good overview over why RedHat is doing what it’s doing.
Before reading this I wasn’t really feeling good about redhat and the stuff happening rn but now i’m able to understand the decision making and there’s still hope for me that redhat won’t turn into a shitshow in a couple years haha
Also working with RedHat in the past has been quite nice so it’s good that i don’t feel a slight hate against the company anymore.
Quite hard to solve the problem when everyone is so emotional
Thanks again for the very informative post!
I have not listened to the podcast unfortunately.
Rebuilders are fine, and RedHat is fine to not spend the effort to debrand their source rpms. The problem is one of value. The value RedHat provides for some people is probably worth more than RedHat charges. The value RedHat provides to others is less than the effort it takes to renew a developer license once a year for 16 installs. The problem is that there are several who are ending support for RHEL because they fall into the latter group (notably Jeff Geerling for ansible roles). RHEL losing out on that support might be huge, might not, only time will tell.
My company runs thousands of centos VMs. We cannot exist if we have to license rhel. We’ve been working on switching to Alma. We may have to look elsewhere for a free distro that has robust SeLinux support.
Can’t you keep using CentOS stream? Isn’t it still a very stable distribution? Just slightly upstream of RHEL instead of downstream.
I might be wrong but AFAIK the only other big company that’s contributing to Fedora is Facebook/Meta. If Oracle etc. were also contributing to Fedora, my gut feeling is that Red Hat would not be so pissed about rebuilding RHEL because RHEL would also be benefiting from Oracle’s Fedora contributions.
Red Hat wants to inherit the hard work of millions of developers doing billions of hours of work, to take that common heritage built by three generations of people’s work, and take it away. To which I say, nuts.
Your colonial bullshit is not wanted here. You can’t just walk in and say “this is mine”.
They should have gone with *BSD flavours if they wanted to take this route. This is not how things are done when software is GPL licensed. I’m sure a lot of the Rocky/Alma/Oracle devs contribute to a lot of the source code in the kernel and other projects, but they don’t expect to get special treatment because of it.
The projects will continue. This just makes it a bit harder, but not too hard. Make a server that fetches all of the patches released for CentOS, cron job to check for hourly changes. If there’s new sources, download them, if not, do nothing. Keep all of the patches till a new version of RHEL is released. Just apply the same patches that that current version of RHEL implements, repack, done. The same goes for the minor versions and bugfixes
Thanks for a solid assessment of the situation and providing some sources 👍
Was Almalinux and Alpine charging customers for support in their builds?
Alpine is completely separate by RHEL by a country mile (hell, it doesn’t even use glibc). You’re probably thinking of Rocky
I don’t think Mike McGrath called out any specific company but if you look at that ycombinator link it looks like the ‘offender’ was Rocky Linux. That is purely speculation on my part.
Well if thats the case thats really bad in my opinion , I might side with Redhat on this one.
If I listen to that video will I, in fact, get a laptop for free? Inquiring minds wanna know.
So joke aside, I don’t see anything in that video that is a defence of the Rebuilders against the accusations made by Red Hat. Is there something I was supposed to get out of watching it?
So i guess ultimately, no, it doesnt counter the claim that rebuilders don’t contribute upstream. Ultimately though, I see this as a diversion. It is counter to the way the opensource community has traditionally operated.
So no, it is not a defense of the rebuilders except to say that the rebuilders have done what has been the norm for decades. Opensource is full of forks and derivitave projects.