must seem like a dream distribution
to many. Its users get the benefit of the massive team of developers that
Red Hat has working on the Red Hat Enterprise Linux product without having
to pay for any of it. CentOS offers a level of stability that cannot be
found in any of the more community-oriented distributions; even Debian
Stable requires its users to upgrade more often than CentOS does. Hosting
providers have a solid, supported platform to sell to many thousands of
customers, and it does not cost them even a single devalued US dollar.
Many, many sites depend on CentOS, so anything which threatens the stability
of that foundation is certain to raise a number of eyebrows.
Unfortunately, that is exactly what happened at the end of July.
CentOS has never been the most transparent of projects; its lists do not
carry the kind of open discussion that can be found with Debian, Fedora, or
(increasingly) openSUSE. Most CentOS users perhaps worry little about
where their software comes from, but there are those who have tried to
help the project and bring its workings more into the open. One of those,
well-known RPM packager Dag Wieers, threw in
the towel in June:
It was not an easy decision and I feel sad for having to take it,
but I decided to resign from the CentOS project. I hope the team
can fix the project's leadership, communication and transparency
issues (even within the team), because each is very important for
the health of the CentOS community.
Problems within the project became more public on July 30, when a
disturbing open letter was posted on centos.org. The immediate issue
was the disappearance of project founder Lance Davis, whose last post on
the centos-devel mailing list was in April, 2008. Evidently Lance hadn't
been heard from for some time in other parts of the project as well. A
missing founder can be a problem, but it gets worse: when Lance vanished from
sight, he took with him control over the project's domain name and IRC
Lance also had control over the project's finances. There has been a lot
less noise concerning this part of the problem, but the fact remains:
nobody seems to know where the money which has flowed into the project (via
donations and web advertising) has gone. Quoting
Dag Wieers again:
For at least three years people were donating money and sponsors
were paying for website ads while the money was not flowing into
the project, where it went to I can only guess. Raising the
question was a risk to the project so everybody stayed quiet for
the sake of the project hoping it would resolve itself.
Naturally enough, this issue failed to resolve itself; eventually the other
key CentOS contributors were forced to go public with their concerns. The
move appears to have been entirely effective: Lance was flushed out from
wherever he was hiding and met with the team. Ownership of the domain name
has been transferred. The CentOS project appears to be back on track, and,
perhaps, headed toward a more democratic mode of operation.
Little is being said about the financial side, beyond this:
We will be addressing these issues in the next few weeks, the plan
at this time is to not turn on the donations option or advertising
anywhere on the websites till we have such processes in place.
So the management of future revenue into the project should be handled in a
more open sort of way.
One could argue that CentOS users had little to worry about. In the worst
possible scenario, the active CentOS developers could have forked the
distribution and moved to a new domain, perhaps without even changing the
name of the project. Such a
move could certainly be successful. But users who have picked a
distribution known for stability might just feel a little concerned about
being told to change their repository pointers to a different location run
by a group claiming to be the "real" CentOS. A certain amount of
disruption would have been guaranteed.
There is a lesson here: use of a distribution like CentOS has its risks. A
system running CentOS is relying on the efforts of a relatively small group
of volunteers; these volunteers are not obligated to continue to provide
support to anybody. The project's governance and processes are on the
murky side - even if it looks like things are about to get better. CentOS
is fully dependent on Red Hat for security updates, and it necessarily
imposes a delay between the release of Red Hat's fix (which discloses any
vulnerability which wasn't already in the open) and the availability of a
fix for CentOS. For the curious: here is the observed delay time a few recent updates:
Sometimes updates pass through the CentOS system quickly, but other times
the performance is not quite as good; the "critical" firefox update
languished for a full week.
The point of the above text is not to criticize CentOS: that project has
done an outstanding job of providing a highly stable and well-supported
distribution to the community for free. How can anybody criticize that?
The point, instead, is that there are tradeoffs associated with any
distribution choice. A Linux user who feels the need for
contractually-assured service backed up by a well-funded support operation
and faster security updates would be well advised to consider purchasing
support from one of the companies operating in that area.
For those who do not need that level of support, instead, distributions
like CentOS provide great value. A more open CentOS looks like it should
be able to provide greater value yet. Also encouraging are the suggestions
that CentOS could work more closely with Scientific Linux, another RHEL
rebuild with very similar goals. All told, there appears to be a good
chance that the recent turbulence will lead to a more solidly founded
CentOS which will continue to be a firm platform for many thousands of
deployed systems well into the future.
to post comments)