- cross-posted to:
- [email protected]
- [email protected]
- cross-posted to:
- [email protected]
- [email protected]
https://web.archive.org/web/20230630111531/https://rockylinux.org/news/keeping-open-source-open/
Article
Every user of Rocky Linux is valued and their contributions matter. From software engineers to IT professionals and hobbyists, together, we are all part of the Linux and open source community. The Rocky Enterprise Software Foundation was established based on our shared vision that open source software should remain stable, accessible to all, and managed by the community.
This commitment is ingrained in everything we do. Since the inception of the Rocky project, we have prioritized reproducibility, transparency in decision-making, and that no single vendor or company can ever hold the project hostage. When we first started, we discussed our model and mission, and we decided not to bisect the Enterprise Linux community. Instead, in the spirit of open source principles and standards, we created something compatible with Red Hat Enterprise Linux (RHEL). By adhering to this approach, we adhere to a single standard for Enterprise Linux and align ourselves with the original goals of CentOS.
However, Red Hat has recently expressed their perspective that they ”do not find value in a RHEL rebuild.” While we believe this view is narrow-minded, Red Hat has taken a strong stance and limited access to the sources for RHEL to only their paying customers. These sources primarily consist of upstream open source project packages that are not owned by Red Hat.
Previously, we obtained the source code for Rocky Linux exclusively from the CentOS Git repository as they recommended. However, this repository no longer hosts all of the versions corresponding to RHEL. Consequently, we now have to gather the source code from multiple sources, including CentOS Stream, pristine upstream packages, and RHEL SRPMs.
Moreover, Red Hat’s Terms of Service (TOS) and End User License Agreements (EULA) impose conditions that attempt to hinder legitimate customers from exercising their rights as guaranteed by the GPL. While the community debates whether this violates the GPL, we firmly believe that such agreements violate the spirit and purpose of open source. As a result, we refuse to agree with them, which means we must obtain the SRPMs through channels that adhere to our principles and uphold our rights.
The latency of this status update has been due to our desire to balance the needs of the community and technical requirements, with the challenges to open source and community principles that Red Hat has created. Fortunately, there are alternative methods available to obtain source code, and we would like to highlight two examples:
One option is through the usage of UBI container images which are based on RHEL and available from multiple online sources (including Docker Hub). Using the UBI image, it is easily possible to obtain Red Hat sources reliably and unencumbered. We have validated this through OCI (Open Container Initiative) containers and it works exactly as expected.
Another method that we will leverage is pay-per-use public cloud instances. With this, anyone can spin up RHEL images in the cloud and thus obtain the source code for all packages and errata. This is the easiest for us to scale as we can do all of this through CI pipelines, spinning up cloud images to obtain the sources via DNF, and post to our Git repositories automatically.
These methods are possible because of the power of GPL. No one can prevent redistribution of GPL software. To reiterate, both of these methods enable us to legitimately obtain RHEL binaries and SRPMs without compromising our commitment to open source software or agreeing to TOS or EULA limitations that impede our rights. Our legal advisors have reassured us that we have the right to obtain the source to any binaries we receive, ensuring that we can continue advancing Rocky Linux in line with our original intentions.
While we continuously explore other options, the aforementioned approaches are subject to change. However, our unwavering dedication and commitment to open source and the Enterprise Linux community remain steadfast.
In the unfortunate event that Red Hat decides to ramp up efforts to negatively impact the community, Rocky Linux will persist to continue serving the best interests of the entire open source community.
As a reminder, we welcome everyone to contribute to our efforts. You can learn more about how you can join us and all of the various ways to contribute on our wiki. Want to voice your support for Rocky Linux? Help us spread the word by sharing with your network, engaging with or contributing to the community, or telling friends about us. Our community is vital to our success, and we value your support. Together, we can make Rocky Linux continue to thrive!
Clever workaround! But if Red Hat is really coming after source redistribution then it’s only a matter of time before they’ll find some end-run around this.
Maybe, they could try but they’re still bound by the GPL to make the source available and can not stop redistributing of the source. So they can make it difficult without violating the GPL itself. IMO it violates the spirit but not the letter.
That being said this kind of fuckery is what everyone was predicting would happen when IBM got ahold of them. I’m surprised it took this long.
All they have to do is put access to the repositories behind some “cloud repo” subscription that requires the agreement, could be free with unlimited registrations. It is still a difficult place for them because they want adoption and to do that they have to be easy, and the alternatives don’t have such hoops.
I’m pretty sure if they revoked access to source repos for valid RHEL installations – therefore cloud VM’s rented from someone with a subscription – then a lot of customers’ workflows would break. The tooling to quickly patch and rebuild packages is part of the appeal of RHEL and source repos are a big part of that.
I could see them putting pressure on cloud VM providers to maintain control here – while I think Rocky’s GPL interpretation is in the clear here, Red Hat can (apparently) still punish customers who redistribute sources via the EULA.
I don’t mean just the source reps, I mean any repos. They already require normal customers to log in using the subscription manager to use repositories, apparently the UBI and images provided to cloud providers don’t require this though or it is pre-filled.
Rocky is fine with the GPL, Red Hat threatens to cancel accounts or even lawsuits for redistribution.
Yeah, although there are limits to what they can do. Like you said, they can only make it so difficult before it stops being worth it to customers. If they make it too risky/complicated/inconvenient for cloud customers to use RHEL, they won’t lol.