2023-08-01 08:30:00
After Red Hat’s decision to share only the RHEL source code with subscribers, AlmaLinux asked bug reporters to “try to test and replicate the problem also in CentOS Stream, so we can focus our energy on fixing it in the right place.”
Red Hat he told Ars Technica that they are “eager to collaborate” on their CentOS Stream distribution, “even if we ultimately compete in a business sense. Differentiated competition is a sign of a healthy ecosystem.”
But Red Hat still managed to ruffle some feathers, informa ZDNet: AlmaLinux infrastructure team leader Jonathan Wright recently posted a CentOS Stream fix for CVE-2023-38403 a memory overflow problem in iperf3 . Iperf3 is a popular open source network performance test. This security hole is important, but not a big problem.
Still, it’s much better to fix it than to let it hang around and see it eventually used to crash a server. That’s what I and others feel anyway. But then a Red Hat senior software engineer responded, “Thank you for the contribution. At this point, we do not plan to address this in RHEL but we will keep it open for evaluation based on customer feedback.”
That went over like a lead balloon.
The GitLab conversation continued:
AlmaLinux: “Is customer demand to fix CVEs really necessary?”
Red Hat: “We are committed to addressing critical and important security issues as defined by Red Hat. Security vulnerabilities with low or moderate severity will be addressed upon request when [un] customer or other business requirements exist to do so.
AlmaLinux: “I can even understand that, but why reject the solution when the job is already done and you just have to merge?”
At this point, Mike McGrath, Red Hat’s vice president of Core Platforms, also known as RHEL, chimed in. He explained: “We should probably create a ‘what to expect when shipping’ document. Getting the code written is just the first step in what Red Hat does with it. We would have to make sure there are no regressions, QA, etc. ..So thanks for the contribution, it looks like the Fedora side is going well, so I’ll end up on RHEL at some point.”
Things went downhill quickly from there…
On Reddit, McGrath said: “I admit we had a great opportunity for a gesture of good faith towards Alma here and we failed “.
Finally, although Red Hat’s product security team rated the CVE as “Important ,
Coincidentally, last month AlmaLinux announced that its move away from 1:1 compatibility with RHEL meant that “we can now accept bug fixes outside of Red Hat’s release cycle “.
This Thursday, AlmaLinux also reiterated that they are “fully committed to providing the best possible experience for the community, no matter where or what you run.” And in an apparent move to beef up compatibility testing, they announced they would be bringing openQA al ecosistema RHEL . (They describe openQA as a tool using virtual machines that “simplifies automated testing of the entire operating system installation process on a wide mix of software and hardware configurations.”)
#AlmaLinux #discovers #working #Red #Hat #CentOS #Stream #easy