suggesting that the CentOS 5.6 release is imminent - though that is
something we have heard before
release will certainly be welcome to numerous CentOS users, but there can
be no doubt that its tardiness - and, in particular, the absence of
CentOS 5 security updates caused by its delay - has been a bit of a
wakeup call for those users. If this much-used distribution is to remain
viable into the future, some important changes will need to be made and
those who depend on it will have to step up their support.
There will be no shortage of CentOS users who would like to get their hands
improvements and added hardware support to be found in the RHEL 5.6
and 6.0 releases. But the real problem is not delayed gratification; it is
that there have been no
CentOS 5 security updates since January 6, and only one since
December 14, 2010. During this time, RHEL 5, on which
CentOS 5 is based, has seen updates for
dbus, exim, firefox (twice), gcc, hplip, java-openjdk, kernel (thrice),
libuser, mailman, openldap, pango, php, postgresql, python, samba,
subversion (twice), tomcat5, vsftpd, and wireshark (twice). Since these
updates are based on the 5.6 release, CentOS cannot easily pass them on to
until they, too, have a 5.6 base. Since that base has been slow in coming,
all those security updates have been blocked.
Some of these vulnerabilities are more severe than others, but there can be
no contesting the fact that every CentOS 5 system out there is
with a significant set of known holes. That is not the sort of solidity
and support that CentOS users will have been hoping for. Many of those
users will, by now, be wondering whether CentOS is the right distribution
to base their systems on.
The CentOS mailing list has been filled with users asking when updates
would start flowing and why things have bogged down for so long. Some say
that there are too many RHEL repackaging projects out there, and that
CentOS should join forces with a distribution like Scientific Linux.
Others blame the 6.0 release for distracting the project from its 5.x-based
users - causing security updates for installed systems to languish in favor
of a shiny new distribution that nobody is running yet. Still others
complain that the project is insular, secretive, and hostile to new
contributors. All of these claims may or may not be true, but they are not
the subject of this article: there is
another aspect to the problem that is unambiguous and clear.
Many people benefit from the work of the CentOS project, but at the top of
the list must be managed hosting providers. Those companies get, for free,
a solid platform which they can install on thousands of servers and sell to
their customers. A site called tophosts.com maintains a list of the top 25
hosting companies; a look at that list leads to some interesting
conclusions. Of those 25 companies:
- One is a Windows-only provider.
- Two offer "Linux" with no way, short of actually renting a server,
of determining what flavor of Linux is involved.
- Three appear to offer Red Hat Enterprise Linux only.
- All of the rest (19 providers) offer CentOS.
(As an aside, it is amazing how hard many of these companies make it to
find out what it is that they are offering to sell. Hosting provider web
sites seem to all be designed by the same person; they are twisty mazes of
Represented on this list are the largest hosting providers in existence -
though it must be said that the list is US-centric. Together, they account
for many hundreds of thousands of systems, a significant percentage of
which are running CentOS. That's a lot of business - a lot of revenue -
which is being generated by CentOS-based systems.
The failure of CentOS - or even a significant tarnishing of its reputation
- would reduce the value of the services offered by these providers. Other
free Linux distributions exist, and some are entirely suitable for stable
deployment situations, but many customers want a distribution which is
compatible with RHEL. So said providers have a significant stake in
keeping the perceived value of CentOS high. Perhaps it is time that some
of them put some resources into supporting that value.
Said resources could certainly take the form of monetary donations to the
project. But far better would be for these companies to hire somebody to
work directly with CentOS and make it better. In return, they would reap
all of the benefits that come with open source participation: they would
have a better distribution to offer to their customers, they would get more
influence over the direction of the project, their participation
would enhance their reputation, and, crucially, they would improve their
in-house expertise which could then be used to support their customers.
All of the motivations for supporting free software development in other
parts of the economy apply just as strongly to hosting providers.
A look at the CentOS
Sponsors Page shows that quite a few hosting companies - including a
handful of the big ones from the list described above - are supporting the
project. In many cases, it seems, that support takes the form of a donated
server. CentOS certainly needs servers and bandwidth, but those, alone,
will not keep the distribution strong. Even the strongest contributor gets
a bargain from Linux - nobody puts in as much as they get out. But one
suspects that the hosting industry is
getting a better deal than many. Now would be a good time for the
top beneficiaries of the CentOS project to roll up their sleeves and put
some serious time into making it better.
to post comments)