McGrath: Red Hat’s commitment to open source

I wrote software that's included in Red Hat and I'm still waiting for my cut. Or any contribution. So?

>> I guess that means RH is now going to pay all upstream developers for the time, effort and ressources going into it, right?

>They have been doing it all along.

No. They haven't been paying all developers. By far. And that is perfectly acceptable and fine. It adheres to the licenses that the developers chose for their code.

>By employing contributors to key projects. By sponsoring important initatives (e.g sourceware.org).
>If all commercial companies involved in free software behaved like RedHat, we'd be in a better place.

Yes, I completely agree.
Red Hat is one of the biggest single contributors to Free Software.
But it's also far from paying all of the work that goes into their product.
How much of the work do they pay? 1%, 2%? 10%? Probably not more.

And that is perfectly acceptable and fine. It adheres to the licenses that the developers chose for their code.

What is not Ok is saying things like this:

>> I feel that much of the anger from our recent decision around the downstream
>> sources comes from either those who do not want to pay for the time, effort and
>> resources going into RHEL

because these people are just doing what the licenses permit.
These people are exploiting the *same* rights that Red Hat exploits to run their business. That is the basic concept and foundation of Free Software. These rights are at the base of Red Hat's business. It's what makes their business possible. If GNU/Linux was proprietary software, then they would have to pay for every single change set going into it.

But Free Software allows them to not pay all these bills. And that is fine.

Companies are using my Open Source and Free Software to make millions of Dollars. From where do I know? Because these companies frequently contact me for free support.

And that is perfectly acceptable and fine. It adheres to the licenses that I chose for my code. I knew that from the beginning and chose to go that route.

What would not be Ok is if these companies would put further restrictions on *my* code. E.g. by applying a threat model to stop business with their customers upon redistribution.

I’m not going to engage with the second part, but for the first part:

A huge part of the point and benefit of open source software is that it doesn’t have to be paid for. This is the source of enormous benefit to the world at large, and has dramatically reduced duplication of effort and certain kinds of concentration of power. Microsoft is a far less powerful company because of open source software.

This also creates a tragedy of the commons style difficulty getting development paid for. Well, so be it. It is a necessary corollary of that freedom/openness.

1. Don't characterize it as a donation. Characterize it as a "sponsorship."
2. Don't try to give money to every FOSS project you use. Sponsor things that management is willing to sponsor, or could be persuaded to sponsor (because the alternative is giving no money at all). For example, if you give substantial money or other assistance to Debian, they will (subject to various formalities) put your logo on https://www.debian.org/partners/ and write mildly nice things about you - that might be an easier sell than another project that doesn't have such a page.
3. Don't (just) sponsor projects directly. Sponsor conferences, events, organizations, and anything else that could reasonably help a project thrive.
4. If you can't get them to sponsor an event, at least try to get them to expense entry fees for any interested employees.
5. Talk to marketing and find out whether developers are a cohort they want to target. If so, they may be supportive of sponsorships.
6. If a project looks seriously underfunded, show management https://xkcd.com/2347/ and ask them what they plan to do when that one developer in Nebraska gets bored or retires. Write down their answer, and characterize it as an official contingency plan. If they refuse to answer, then document the non-existence of a plan, as overtly as possible (without looking like a smart ass).
7. If management wants to purchase a support contract, try to steer them towards whoever is actually doing the work, not just whoever has the lowest rate. Remember, the people who wrote the code are often best equipped to do something about bugs and other issues. A third-party support contract is much less valuable, because they may be unable or unwilling to do much more than file exactly the same bug report you would've filed yourselves.
8. Accept that a corporation is a profit-maximizing machine, and they won't always do what is right, or even what is in their own long-term interest. Do the best that you can, and don't worry too much about things you can't change.

This is why organisations like Red Hat, SUSE, Canonical, are important. Companies can take out a support contrtact, and then these can dole out money to the appropriate foundations looking after the "software of importance". Although, of course, what is seen as important, and what is important, are often not the same.

Cheers,
Wol

File bugs asking for them to send you an invoice you can send to your boss?

The mechanical part of payment is *really hard* -- especially since many projects simply are not set up to receive money the way that corporations are set up to distribute it.

In a perfect or even better world all companies would follow your lead on bug reporting/patching. That would go a long way.

What would be even more amazing is if companies of certain sizes hired open source "janitors" or utility players to do that full time. Or if you can identify a project that is really important to you, hire a person to work on that project full time.

That could make vendor neutral projects much more sustainable and provide more work for developers who want to contribute to open source outside the vendor model.

Yes, exactly. For example https://gitlab.com/redhat/centos-stream/src/kernel/centos... is a commit that might plausibly end up in 9.2 (I haven't checked, I am on the phone).

For the kernel and 20-30 other packages you have the entire "exploded" source tree on GitLab, with git history including merge commits; the rpm doesn't include individual kernel patches because they're just too many.

> I really do think it's a double standard for anyone to think Red Hat should have to do that work, but asking the rebuilders to do it is too much.

Why should they duplicate the work though? Especially since RH had already been doing it and providing it.

I think the decision is very shortsighted, and only will end up hurting RH in the long run.

Shh. I don't think you are supposed to point that out. Or the fact reproducible builds are a thing. Or any other fallacies that may or may not have been in that blurb.

"Are they saying RHEL *is* this threat, or that it *isn't* this - are they confessing that their product differentiator is in modifying other people's codebases and then being obstinate and hostile to upstream in the same vein as Apple or grsecurity? Are they reversing their endorsement of things like Flatpak?"

RH is probably the best company in the world in pushing things upstream. According to the blog post that won't change.

> Are they saying RHEL *is* this threat, or that it *isn't* this - are they confessing that their product differentiator is in modifying other people's codebases and then being obstinate and hostile to upstream in the same vein as Apple or grsecurity? Are they reversing their endorsement of things like Flatpak?

Why are you commenting if you actually haven't got any idea about the issue at all? They contribute a lot upstream. But you can't contribute "packaging" upstream, because application and library developers don't *want* to be distributions, and quite reasonably. RHEL does not upstream its integration work, and it would make no sense to. No distribution does.

What RH is no longer interested in doing is *downstreaming* its integration work to freeloading rebuilders.

> As a gut check, "packaging software is 1% of overall software effort" doesn't seem outrageous.

This doesn't account for integration & subsequent testing.

One can quibble over the portion, but it's more than zero.

> As a gut check, "packaging software is 1% of overall software effort" doesn't seem outrageous.

Then what's the big deal? Just get a one-time copy of RHEL source code and maintain it yourself.

And what are the percentages for the vast majority of packages that are smaller than large packages like ffmpeg?

What about the time and effort that goes into it? Everyone knows "lines of code" is a terrible way to measure difficulty. Some lines of code are a lot harder to write and maintain than others.

I think the point being made is that Red Hat is absolutely going to contribute things upstream and absolutely will make any fixes/enhancements they develop upstream - they just aren't going to make it particularly easy to be a bug-for-bug clone of Red Hat. And I'm a little bit sympathetic to that because the only people who really need a bug-for-bug clone of Red Hat are people who are running software (FOSS or proprietary) from some other commercial vendor who certifies it as running on literally Red Hat and nothing else, or people who want to run 10 Red Hat machines and 90 not-Red-Hat machines and report bugs to Red Hat regardless of which machine they came from.

The broader FOSS ecosystem doesn't really benefit from this. I don't think I've ever seen an upstream developer say "Oh you ran into this on Fedora, but can you reproduce it on Red Hat or a Red Hat rebuild?" It wouldn't be useful to the broader ecosystem if they said that, because how could you expect to use that software on Debian or Arch or anything? How could that software participate in the FOSS community as a whole instead of just Red Hat and its clones?

The broader FOSS ecosystem absolutely does benefit from Red Hat sending patches and bug reports upstream, and as a backstop for when Red Hat doesn't engage upstream, the broader ecosystem absolutely does benefit from Red Hat's patches and customizations being published to the world. Which are the things that Red Hat is committing to doing. If they find a bug in OpenLDAP and they patch it for their customers, that patch - and its commit message, and the discussion on the merge request, and a whole lot of other things that aren't in the SRPM! - is on GitLab.com for anyone else to pick up. The only thing they're no longer committing to is saying whether that patch was applied in openldap-2.6-20.el9.x86_64.rpm or openldap-2.6-21.el9.x86_64.rpm. That piece of information is wholly irrelevant to the culture of open source; you don't need it unless you're specifically trying not to have any patches of your own. It's only interesting if your interest in Red Hat publishing sources, and being open source at all, stops once you have an equivalent binary.

(Or, admittedly, unless you're Software Freedom Conservancy trying to verify that in fact they did push all the patches to GitLab that they claimed they were going to. That's a valid use case and I hope that gets resolved. I'm concerned by comments on the question I asked yesterday https://lwn.net/Articles/936138/ about how there are private branches, because that means it's easy to forget to push things publicly. Even a commitment to automation would be meaningful.)

All of Drew's examples there are about people adding value to your work in some way - incorporating it into their own work, becoming an expert and consulting/teaching/writing about the software, packaging it nicely, etc. Every single one of these use cases could be accomplished just as well with CentOS Stream as with Red Hat, if not better. If I wanted to, say, repackage 389-ds and run a little LDAP company, I would actively not want to be bound to Red Hat's release cycle and their discretion of what bugs are important! I would want to see their decisions about what patches go into stable releases and potentially make my own depending on what issues my customers are having. I wouldn't object if the base I'm working from is a little bit newer than Red Hat's commercial product; in fact I would find that useful.

The only use case where unthinking replication of Red Hat's decisions and renunciation of the ability to make your own decisions are valuable is when your product's value is entirely in it being the same as Red Hat's product but cheaper. It's true that Red Hat is also surrendering their ability to prevent this by redistributing FOSS, but it is telling that this isn't a use case where you can write a convincing story about how it's a good thing for the world.

(And, in turn, the money that Red Hat charges goes to fund their ability to continue participating in the ecosystem. If you look at e.g. the development stats article right below this one https://lwn.net/Articles/929582/ , a lot of the major contributors are hardware vendors who want to sell you their hardware, or companies like Google or Facebook that have their own internal use cases and their own agendas. The argument being made in the article is that a world where Red Hat's business model is not commercially viable is actually worse for FOSS than a world where Red Hat survives by doing things that just barely comply with the GPL.)

“RedHat itself started out as just a clone of other people's source”

Did it? And for how long?

As I understand it, the first Red Hat Linux release was based on SLS. Not a clone, a fork with additional work added. And, I think, SLS had actually ceased distribution by then. It’s a far cry from a fair comparison.

If the discussion was about Red Hat trying to prevent a project or company from building something novel off RHEL sources instead of just xeroxing whole RHEL releases, it’d be very different.

At least Jeff Geerling's Ansible related and other projects:

https://www.jeffgeerling.com/blog/2023/removing-official-...
https://www.jeffgeerling.com/blog/2023/im-done-red-hat-en...

I couldn't recommend a distro where security fixes are deliberately held back to anyone. And I'm not talking about embargoes, all the fixes. It's one of the ways Red Hat "adds value" to RHEL.

Heh, the machines I converted to Stream almost got me fired. Then I decided to do a "from-scratch" install to prove a point, did not help, quickly walked it back in shame.

n = 1 and all that, but I've had less issues with Fedora Server. The only unfortunate thing is that it requires frequent rebooting, as it updates often - of course, that's exactly what it says on the tin, so although it's not surprising, it's not ideal for our use case.

I'd love to understand that, too.

I think that people feel like CentOS stream is like ... "Debian unstable", all new stuff goes in there and when it's decided to be stable, a release is made that's actually the stable one. I feel like a lot of this is perception, not the truth, but nobody seems to want to use it.

And as for stability, in the last month I had two separate kernel bugs, one in RHEL7 and one in RHEL8, that if ran on KVM hosts led to VM hangs/stalls, and at some point having something move fast enough so you get your bugs fixed quickly might be the better choice than depending on something that releases every 3 months and is supposed to be stable.

> Serious question - why not run CentOS Stream?

Right now, as I'm writing this, I'm trying to build ~200 packages with mock using CentOS Stream 9. The process is failing as AppStream's repodata checksums are mismatched. Now they match, but other packages are not yet mirrored and thus I'm left to dry until they all sync or something. There's a bug report in Pagure about this about twice a year, it seems, from internal people too.

My project is a perfect use-case for CentOS Stream: I want some LTS on par with Ubuntu so I don't do the time-consuming "upgrade to the next major version" busywork dance every year, thank you very much. I don't need more guarantees, certifications, and most other fluff RHEL target audience may find useful. But I also want to plug package and container building into a CI/CD pipeline, and if their mirrors keep barfing once in a while without a reliable indication when it happens and how to plan around it, it's quite a sad state of affairs.

+1 to Debian. In my informal hobbyist experience, it is an excellent distribution for making systems that "just work" for years on end with very little fuss or effort.

> I also don't have the information in front of me that McGrath and the other execs at Red Hat have to inform their decision.

To quote McGrath:

"The generally accepted position that these free rebuilds are just funnels churning out RHEL experts and turning into sales just isn’t reality. I wish we lived in that world, but it’s not how it actually plays out. Instead, we’ve found a group of users, many of whom belong to large or very large IT organizations, that want the stability, lifecycle and hardware ecosystem of RHEL without having to actually support the maintainers, engineers, writers, and many more roles that create it. These users also have decided not to use one of the many other Linux distributions."

That lines up with my experience, at both small (<20 employee) companies, at large-ish companies (3000-5000 people) and very large highly-regulated companies (>60,000 employees).

Surely this is not what anyone who ever published code under the GPL was hoping to achieve.

> it should really be because of something we did or a choice we made - not what the headline grabbers are saying we did.

I've noticed a lot of the commenter subscriber numbers are about 50,000. I guess it's rent-a-mob. They obviously came here some while ago, went away, and this was an excuse to come back :-(

Cheers,
Wol

> The confusion around this event has been really frustrating, if people lose trust over Red Hat, or are angry at Red Hat, it should really be because of something we did or a choice we made - not what the headline grabbers are saying we did.

And they are losing trust and angry at RH for something you did and the choice you made. Pretending its just because of the "headline grabbers" isn't going to make that better.

And there is no confusion, you just don't like the pushback to a bad decision.

The rebuilders were reselling commercial offerings, long before they took on CentOS. Money evidently wasn't a concern then, because they never talked or complained about it.

When they did take CentOS on, they said it would not change things. And people who had reasons not to use RHEL under contract, therefore trusted that to remain the case. Still there were no complaints about rebuilders.

Then they redefined CentOS as upstream, but waxed about everything except the impact on rebuilders. People were sceptical about the benefits of upstream, but Redhat felt compelled to emphasize that it wasn't about the rebuilders but agility benefits all around.

Now they cut off the repo access, wax on again about this and that, but not about rebuilders and only after being pushed hard, they admit that it was all about the rebuilders after all and Redhat not having any direct benefits from them.

They weren't honest about intention and motives for years. And now they pulled the plug without warning, because "it's our call" and they do not care about collateral damage.

Yes, they were under no legal obligation to share, but they were hiding their intent, did not give warning and as a consequence a lot of people are getting harmed.

And when people are being burned, they aren't very understanding (Maslov), they just won't forgive whoever is responsible.

It doesn't matter if McGrath then explains that you shouldn't have touched the pan without a RHEL support glove, or that it's unfair to expect the hot pan to be cool on the handle without paying for the protection.

Pain destroys trust and followings very radically and there is plenty of data out there on how human networks amplify churn e.g. in TelCos when pain and anger are involved.

And they show just how incredibly expensive it would be to turn such a tide.

IMHO the bean counters didn't have the right numbers for that risk on their balance sheet.

Let's not argue, but revisit in a year or two: by then we might know if they shot themselves a bullet in the foot or vitamins in the arm.

P.S. If anyone had actually invested into making it easier to clone RHEL, then that person should now be sued. I can't believe that would have been an 'honest mistake'.

SUSE? I don't think alpine is, but I'm not sure who employs the maintainers (which may or may not change opinions). There are also the cloud provider distros, which may also change the balance between community and "corporate".

I think if you're looking at "LTS" distros though, Debian is the only independent community one as far as I know, and there are no independent RPM-based ones?

> Ironically, the argument "Alma & Rocky Linux are harmed by the decision" automatically concedes that what RedHat does adds value. If RedHat did not add value there would not be any harm.

Yeah, the cognitive dissonance around that point is quite astounding.

>I think that seriously underestimates the effort involved in integration.
>The effort it takes to go from "works on my machine" and "works on everybodies machine"
>is about a factor of three, at least.

Did you even think about that before posting it here?

The step "works on my machine" includes developing the whole application, designing the program architecture, designing the code structure, writing the code, writing the documentation, writing the unit tests, writing the system tests, etc, etc.

The step "works on everybodies machines" includes fixing portability issues and packing the application, running some system tests, maybe write some distro specific docs. That's basically it.