Red Hat cutting back RHEL source availability
Red Hat cutting back RHEL source availability
Posted Jun 21, 2023 16:08 UTC (Wed) by MarcB (subscriber, #101804)In reply to: Red Hat cutting back RHEL source availability by Bickelball
Parent article: Red Hat cutting back RHEL source availability
What RedHat actually provides is the - sometimes exclusively - supported environment for 3rd party software. They can do this, because they are in a uniquely strong position and have established connections to many suppliers of such software. Competitors can't really do this, because it is a chicken-egg-problem. Larger vendors will not even talk to you, if you are too small.
Red Hat invested a lot of time and money to achieve their position, but it should be clear that this is not about fairness, and that no one besides Red hat will benefit from this. This does not mean, that what Red Hat is doing is intrinsically unfair - but it might become at some point.
Posted Jun 21, 2023 16:34 UTC (Wed)
by ju3Ceemi (subscriber, #102464)
[Link] (1 responses)
So if you care about being supported, you pay and use redhat
Posted Jun 22, 2023 4:34 UTC (Thu)
by mbar (guest, #73813)
[Link]
Posted Jun 21, 2023 17:49 UTC (Wed)
by jzb (editor, #7867)
[Link] (21 responses)
This seriously undervalues what Red Hat does overall with RHEL. Red Hat didn't start out in a "uniquely strong" postion, they fought to get there. Providing a "supported environment for 3rd party software" is a lot more complex and sophisticated than people give Red Hat credit for -- Red Hat has to do a ton of development work upstream to land features that customers want across multiple upstreams.
Then they work with partners to do testing and certification. And then they support an operating system for a decade plus, including upstreams that go EOL like Python 2.7.
Red Hat makes open source consumable and boring for businesses. It's a lot of chopping wood and carrying water that competitors have tried very very hard to avoid, in a variety of ways. (Credit where due, I think SUSE tries to emulate this to a large degree, they've just been less successful at scaling it.)
Just because Alma and Rocky and others can quickly recompile the source code to RHEL should in no way delude people to think they can easily step in and do all the development that happens up to that point. People seem to handwave away all the work that leads up to that source code in the first place. Sophisticated isn't really the metric here: it's the ability to deliver an open source platform that's consumable by business at scale for a decade. Repeatedly.
But people have seriously devalued that because they can get the bits for free without thinking too much about all the work that went into the source that makes the bits available.
There's a related discussion about how relevant RHEL is now given that the world is moving away from a model of staying on an OS for 10 years. But that doesn't decrease the complexity of providing that or make it any more honest to handwave away what RHEL represents as not "particularly sophisticated."
Disclaimer: I'm a former Red Hat employee (and even more former SUSE/Novell employee...)
Posted Jun 21, 2023 18:35 UTC (Wed)
by pizza (subscriber, #46)
[Link]
Yeah. It's all very cargo-cult-ish.
Posted Jun 21, 2023 18:59 UTC (Wed)
by ju3Ceemi (subscriber, #102464)
[Link] (18 responses)
This kind of offer helps the damaged mindset from the 90ise that you can, sanely, let an environment live forever
Posted Jun 21, 2023 20:03 UTC (Wed)
by pbonzini (subscriber, #60935)
[Link] (12 responses)
Yet I guess you complain about planned obsolescence and lack of firmware update when it's about phones, TVs or NAS enclosures...
Posted Jun 21, 2023 20:09 UTC (Wed)
by ju3Ceemi (subscriber, #102464)
[Link] (11 responses)
In which sane world do you run a ten-year old libssl ?
I have différent answer for those questions
Posted Jun 21, 2023 20:17 UTC (Wed)
by pgarciaq (subscriber, #153687)
[Link] (5 responses)
In essentially any enterprise environment, actually.
Posted Jun 21, 2023 20:21 UTC (Wed)
by ju3Ceemi (subscriber, #102464)
[Link] (4 responses)
Posted Jun 22, 2023 18:54 UTC (Thu)
by clump (subscriber, #27801)
[Link] (2 responses)
More information for RHEL can be found here: https://access.redhat.com/security/updates/backporting
Posted Jun 22, 2023 19:19 UTC (Thu)
by ju3Ceemi (subscriber, #102464)
[Link] (1 responses)
On the other hand, let's have this other nice story
TLS 1.2 has been added to openssl 1.0.1 in 2012
Question: in 2020, on my fully supported rhel 6 server, do I:
Answer:
So you started with a specific version, and upgraded to another
Yet if you have a very sensitive system, upgrading just that library means running the full qualification procedure
Anyway
3-years support is far better from a security perspective, because it is a reason to keep taking care of stuff: manager will give you time, security teams will prioritize etc
Security is nothing but psychology.
Posted Jun 22, 2023 20:37 UTC (Thu)
by clump (subscriber, #27801)
[Link]
Ten+ year security doesn't make software less secure, quite the opposite. You can still upgrade to a new version of RHEL every two or three years. My experience is that organizations don't care as much about operating system versions as they do about the versions of the applications and languages they're running. In those cases, they're often providing their own OpenSSL or Java or Python.You might upgrade the OS every couple of years, but you're constantly upgrading your applications.
Too many of my customers *only* care about their applications. They don't think much about the underlying operating system. That's among my customers that self-manage. Many of my customers are running toward cloud services as fast as possible.
Posted Jun 23, 2023 13:40 UTC (Fri)
by Freecoffee (guest, #165758)
[Link]
There was a time in computing when everything could be free/semi free and open but all that leads to now is lack of viability and longevity of the work.
If anyone has not noticed the billion hours of coding in flash sites that evaporated from the internet.
I have worked in development for companies and the honest truth is no one can afford to direct resources to perfection and recreating the wheel.
On a side note the cloud is great until you need to have stable costs. It does not give an operation a lot of leverage in negotiation when you are dependant on the cloud for your buisness infrastructure. No asset model what could go wrong.
Posted Jun 21, 2023 20:33 UTC (Wed)
by pbonzini (subscriber, #60935)
[Link] (1 responses)
I have a Synology NAS from 2013 that got its last *major* update last year, and it's not even cloud enabled. Meanwhile other companies that actually expose your data on the internet might sell you an old model that they don't plan to update anymore in 2025.
Well, Synology is doing the same kind of work as Red Hat.
Posted Jun 22, 2023 4:07 UTC (Thu)
by mathstuf (subscriber, #69389)
[Link]
Posted Jun 22, 2023 0:05 UTC (Thu)
by butlerm (subscriber, #13312)
[Link] (2 responses)
Posted Jun 23, 2023 7:06 UTC (Fri)
by taladar (subscriber, #68407)
[Link] (1 responses)
Posted Jun 23, 2023 16:14 UTC (Fri)
by jzb (editor, #7867)
[Link]
Really, when I think about it, I am aware of the amount of testing that goes into RHEL and feel fairly confident that if what I need is a long-term stable operating system it's going to meet my needs.
The original developer / project, in many cases, hasn't done nearly the amount of testing against what they've released vs. what ends up in RHEL. Calling it "bleeding edge" is silly. The reason many people want and pay for RHEL is because they know that there's additional testing vs. the vanilla upstream.
I would grant you that the original developer has more context for the original software. Whether they know more than the person patching it, overall, is not guaranteed. Whether they're better at security or fixing security issues is definitely up for debate.
You seem to be simultaneously arguing that you really want to run RHEL, and that it has little value, which is mystifying to me.
Posted Jun 24, 2023 15:13 UTC (Sat)
by wtarreau (subscriber, #51152)
[Link] (4 responses)
Yeah for sure... Quite frankly, read what you wrote, all of this makes zero sense. You're taking the example of people that do not apply any single update to judge a model where a vendor makes the effort of providing updates so that responsible customers can maintain their software up to date.
For sure some people like those making a living of selling hardware might prefer to see landfills full of obsolete cars because the software that runs on the central computer isn't supported anymore, make a business of desoldering components from obsoleted smartphones, or doubling the price of energy delivered to a vulnerable neighbor country while they're running maintenance operations to replace the hardware in power plants due to the new requirements of a major software upgrade. But there are also a lot of people who want to keep safe software running fine on existing hardware without changing prerequisites every 3 years nor facing regressions due to forced major upgrades.
You seem to be ignoring an important fact, which is that a linux distro is primarily a redistribution of a collection of opensource software, and that a lot of them are done as side jobs, and not in a professional manner, meaning that forward compatibility is not the most common thing. As such performing a distro upgrade almost guarantees a number of regressions or breakages that are sometimes OK on your laptop but not at all in many environments. Distro vendors providing 10 years support go through that effort mainly to protect their customers from this.
Posted Jun 24, 2023 15:40 UTC (Sat)
by ju3Ceemi (subscriber, #102464)
[Link] (3 responses)
I am sitting on a i5-2400, released in 2011, running Debian 12 (released in 2023)
That is .. that is crazy
Also, when you pay a RHEL subscription for a server (at least 350$/y without support nor any stuff), you probably have some kind of business behind this
Posted Jun 25, 2023 8:13 UTC (Sun)
by wtarreau (subscriber, #51152)
[Link] (2 responses)
I, too, used to find CentOS interesting for end users. It's just that lots of consultants install this at their customers' as a way to save money by not buying the original, hence avoiding to pay for the development effort done upfront. I'm not seeing a simple solution to this, to be honest. Maybe they should make a free version of RHEL which is trivial to activate and switch to a paid mode, to try lower the barrier of adoption, and pre-fill a number of visible config files with "this is an unregistered copy, if you value it please consider supporting our effort". But the constant guerilla between RHEL and forks is only hurting their users, community and their image by making the solution look not sustainable in my opinion.
Posted Jun 25, 2023 8:23 UTC (Sun)
by ju3Ceemi (subscriber, #102464)
[Link] (1 responses)
Mais tu sais, je me suis déjà occupé d'un parc de 3500 serveurs (à l'époque où j'étais ton client)
Thank you for your feedback anyway
Posted Jun 26, 2023 4:50 UTC (Mon)
by wtarreau (subscriber, #51152)
[Link]
Posted Jun 21, 2023 21:22 UTC (Wed)
by Wol (subscriber, #4433)
[Link]
To put it another way, it's Red Hat that puts food on the programmers' tables.
Cheers,
Posted Jun 22, 2023 18:19 UTC (Thu)
by markhahn (subscriber, #32393)
[Link] (4 responses)
but think about what the vendors are doing here: it's slimy. they should be saying "our app runs on anything compliant with a particular standard". the whole "supported on" is lazy and hostile to the customer.
Posted Jun 22, 2023 22:48 UTC (Thu)
by farnz (subscriber, #17727)
[Link] (1 responses)
It's not so much slimy, as lazy (in the sense that all programmers are lazy). If I say "runs on anything compliant with a particular standard", then I need some way of verifying that my app really does run on anything compliant with that standard - that means that tools need to exist that check my app for cases where it assumes an implementation detail, and tools need to exist to verify compliance of your OS with the standard.
By saying "runs on Ubuntu 14.04 LTS", I've isolated down exactly what I'm promising - if I accidentally depend on an implementation detail of Ubuntu 14.04 LTS that changed in 16.04, that's fine, because I promised I'd work with 14.04 LTS only. And if Canonical update Ubuntu 14.04 LTS and break my app, I've got to catch up; so I want to work with Canonical to ensure that either this doesn't happen, or I have some notice and can fix my app before my customers get the update.
Same logic applies to RHEL, except that the RHEL support lifetimes are slightly longer than Ubuntu LTS (6 years to last release instead of 5, 12+ years from first release to end of ELS to Ubuntu's 10 years from first release to end of ESM).
Posted Jun 23, 2023 0:48 UTC (Fri)
by intelfx (subscriber, #130118)
[Link]
Well, that’s exactly what OP meant by “[being] hostile to the customer”.
Posted Jun 23, 2023 8:53 UTC (Fri)
by eduperez (guest, #11232)
[Link]
History has told us, over and over again, that being "compliant" with a particular standard, means next to nothing; there are countless "anecdotes" of software compliant in theory, but incompatible in practice.
Posted Jun 23, 2023 16:31 UTC (Fri)
by jzb (editor, #7867)
[Link]
What the vendors are doing is not slimy, lazy, or hostile here. First of all, the idea that there even exists a "particular standard" to be compliant *with* is questionable given the number of dependencies that any given application might have. What standards would you suggest that are adequate to say that a database or streaming/messaging platform is supported?
Let's say I want to ship a product based on Apache Kafka. Please tell me which standards I can target that are available in shipping operating systems that guarantee if I target them I can also promise support.
The most reasonable way for a vendor to develop, test, and support an enterprise type application is to pick specific versions of popular operating systems and work against those. Because we're not just talking about "it compiles and runs" -- we're talking about being able to support a customer with heavy workloads and a contract with an SLA that says downtime costs you, the vendor, money.
Red Hat cutting back RHEL source availability
And those 3rd party are supported on redhat -not on some clones like centos.
If you are not, then you could as well use anything else: suse, Debian, gentoo, whatever
Red Hat cutting back RHEL source availability
You just wrote that Debian testing is a clone of Debian stable.
Red Hat cutting back RHEL source availability
Red Hat cutting back RHEL source availability
Red Hat cutting back RHEL source availability
This is so damageable to the world
Red Hat cutting back RHEL source availability
Red Hat cutting back RHEL source availability
In which sane world do you use a ten-year old screen ?
Red Hat cutting back RHEL source availability
Red Hat cutting back RHEL source availability
I don't know, I've work for many compagnies and never met such choices with succesful outcome: it was always a failure
Red Hat cutting back RHEL source availability
Red Hat cutting back RHEL source availability
You have rhel 6, supported up to 2020, released in 2010 with openssl 1.0.0
- use TLS 1.1, because that's all I can get and I am insecure
- use TLS 1.2, because redhat backported the whole TLS 1.2 implementation
None
openssl was upgraded from 1.0.0 to 1.0.1 somewhen
Basically, you could've just upgraded to the next release ..
Yes, I know that this "is just a library"
From my personnal experience in compagnies, 10-years support is very great because people can just fire some stuff and move on
Said stuff will rot in place, never to be touch in many years, but that is not my problem so I do not care
And then you come, consider said system, consider that everybody who worked with that thing left years ago
And you cry alone in the dark
And when systems are kept sane all the time, as when you clean your house, so job is simple and easy
Whereas when you leave the dirt for year, good luck cleaning the mess ...
Red Hat cutting back RHEL source availability
Red Hat cutting back RHEL source availability
Yes ivey grows over entire areas of apps and buisness processes and in a perfect world there would be maintenance but that is not any company I have ever worked for.
Red Hat cutting back RHEL source availability
Red Hat cutting back RHEL source availability
The entire business model of a company like Red Hat requires making critical and necessary updates to versions of dependencies long since abandoned by their original developers. In other words no one using RHEL is running an unpatched, unsecured ten year old libssl or anything like it, they are using a generally ABI compatible version maintained by Red Hat with security fixes and necessary upgrades, and often more than one such version.
Red Hat cutting back RHEL source availability
Red Hat cutting back RHEL source availability
Red Hat cutting back RHEL source availability
Red Hat cutting back RHEL source availability
> This is so damageable to the world
> This kind of offer helps the damaged mindset from the 90ise that you can, sanely, let an environment live forever
Red Hat cutting back RHEL source availability
Do you really believe people have to change hardware every time they update the software ?
People with hobbies for their free time do not pay that money for the elusive right to use old hardware ..
Red Hat cutting back RHEL source availability
Red Hat cutting back RHEL source availability
Nothing related to RHEL
Peut-être n'avons-nous pas eu les mêmes expériences professionnelles, fréquentés les mêmes genre d'entreprise ?
Red Hat cutting back RHEL source availability
Red Hat cutting back RHEL source availability
Wol
Red Hat cutting back RHEL source availability
Red Hat cutting back RHEL source availability
Red Hat cutting back RHEL source availability
Red Hat cutting back RHEL source availability
Red Hat cutting back RHEL source availability