down in other products? They literally cannot "Lock it down" due to the GPL. Anyone using RHEL binaries has legal right to the code. What they seem to have done is limit source code access to those who are actually using RHEL, which is all the GPL requires. The GPL does not require you to share source code with every person on the planet, only those using your binaries. If someone wants the source, they can sign up for a free DEV license for RHEL, and that entitles them to the source code for the RHEL things they are using. On Wed, Jun 21, 2023 at 4:07 PM Philip Wyett <philip.wyett(a)kathenas.org&gt; wrote: > Hi all, > > Obviously many will have seen: > > https://www.redhat.com/en/blog/furthering-evolution-centos-stream > > and see, where EL (contributors like you of fedora/EPEL) have been knocked > down: > > https://bugzilla.redhat.com/show_bug.cgi?id=2215299 > > Let us face it our efforts with the Fedora project are not valued and it > is a means nothing to the > new corporate IBM/Red Hat enterprise systems that we have to struggle to > get access to srpms, to > make a community. What is community now to Red Hat? > > down in other products? > > Regards > > Phil > > -- > *** Playing the game for the games own sake. *** > > > Associations: > > * Debian Maintainer (DM) > * Fedora/EPEL Maintainer. > * Contributor member of the AlmaLinux foundation. > > WWW: https://kathenas.org > > Buy Me a Coffee: https://www.buymeacoffee.com/kathenasorg > > Twitter: @kathenasorg > > Instagram: @kathenasorg > > IRC: kathenas > > GPG: 724AA9B52F024C8B > _______________________________________________ > devel mailing list -- devel(a)lists.fedoraproject.org > To unsubscribe send an email to devel-leave(a)lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >

Red Hat doesn't need to mention it. It's a legal requirement of the GPL... anyone using the binaries has legal right to the source code. As for Red Hat cancelling users accounts who pull the source build binaries and share it... that'd probably land them in a lawsuit, because as long as that person who originally downloaded the code has the binaries... they are legally entitled to the source for them for as long as they have the binaries. Furthermore, anyone who shares a binary they build from RH sources... has a legal requirement to share the source onto the next person. These are precisely the type of issues with the MIT/BSD license that Stallman wanted to address with the GPL. Red Hat could terminate the dev license... and put RHEL entirely behind a paywall, but they have not stated that they are doing so. And I would imagine that they would get a ton of backlash if they did considering that was how they addressed the reaction the CentOS/CentOS Stream change. But even if they did that, they still have to provide source to anyone with the binaries. So all it would take is one person buying a license, and then releasing the code. Even if Red Hat banned that account, there would just be another account to do the same thing again. Red Hat would have to play whack-a-mole to try to stop people from doing that constantly. On Wed, Jun 21, 2023 at 4:14 PM Philip Wyett <philip.wyett(a)kathenas.org&gt; wrote:

code. Correct. Per the GPL if you have the binary you have a legal right to the code. Also the GPL does contain clauses that stipulate that outside agreements cannot excuse anyone from the conditions of the license, see the No Surrender of Others' Freedom section. Also keep in mind that you can download the RHEL ISOs for free without a dev license from this page: https://developers.redhat.com/products/rhel/download You can't update the packages, but you can install that version of RHEL on your computer and use it. So anyone grabbing that ISO has legal right to the source code for the base system. On Wed, Jun 21, 2023 at 4:35 PM Philip Wyett <philip.wyett(a)kathenas.org&gt; wrote:

made a commitment to keep it? installing a new system every 6 months is a joke. You can download ISOs without a dev account. Someone could easily get the SRPMS as they are entitled to have and compile them and make a 3rd party repo that everyone could add and update from, so people wouldn't have to re-install. My point is that Red Hat is not able to lock down the code because of the GPL. There will always be a way around anything they try to put in place. People in the FLOSS world really care about this stuff and are also really stubborn... if Red Hat tries to do anything like this, there will be thousands of people that will come together to work around everything Red Hat attempts to put in place to block people. Don't worry, take a deep breath and relax, the code will remain open source and it will remain freely available. On Wed, Jun 21, 2023 at 4:56 PM Philip Wyett <philip.wyett(a)kathenas.org&gt; wrote: > On Wed, 2023-06-21 at 16:49 -0400, JT wrote: > > > I believe the GPL asks you never have to make agreement to access GPL > code. > > > > Correct. Per the GPL if you have the binary you have a legal right to > the code. > > Also the GPL does contain clauses that stipulate that outside agreements > cannot excuse anyone > > from the conditions of the license, see the No Surrender of Others' > Freedom section. > > > > Also keep in mind that you can download the RHEL ISOs for free without a > dev license from this > > page: https://developers.redhat.com/products/rhel/download You can't > update the packages, but > > you can install that version of RHEL on your computer and use it. So > anyone grabbing that ISO > > has legal right to the source code for the base system. > > > > > > Who says that developer account will be available soon, Have Red Hat made > a commitment to keep it? > > installing a new system > every 6 months is a joke. > > Regards > > Phil > > -- > *** Playing the game for the games own sake. *** > > > Associations: > > * Debian Maintainer (DM) > * Fedora/EPEL Maintainer. > * Contributor member of the AlmaLinux foundation. > > WWW: https://kathenas.org > > Buy Me a Coffee: https://www.buymeacoffee.com/kathenasorg > > Twitter: @kathenasorg > > Instagram: @kathenasorg > > IRC: kathenas > > GPG: 724AA9B52F024C8B >

I already sent you the URL in a prior response: https://developers.redhat.com/products/rhel/download I am being respectful, I've been trying to explain to you that this isn't anything to get stressed out over. I've calmly addressed the questions you've raised. What you are worried about is not possible because of the legal requirements of the GPL which Red Hat has accepted by using GPL licensed code. You're stressing out over a non issue... you dont need to stress over this... aka... you can relax... it's going to be ok. If me addressing your concerns and telling you that you dont need to worry is disrespectful... well... I'm sorry that you think I'm being disrespectful. I'm trying to make you feel better by explaining that you dont need to be worried. On Wed, Jun 21, 2023 at 5:12 PM Philip Wyett <philip.wyett(a)kathenas.org&gt; wrote:

On Wed, 21 Jun 2023 21:06:40 +0100, you wrote: My interpretation of the blog post, combined with recent actions towards Fedora by Red Hat, is that Red Hat now views CentOS Stream as the new "Fedora" for basing future versions of RHEL.

On Wed, Jun 21, 2023 at 4:07 PM Philip Wyett <philip.wyett(a)kathenas.org&gt; wrote: I'm not particularly inclined to feel favorably toward Red Hat, but I don't see what the availability of RHEL srpms has to do with Fedora. We're upstream of RHEL. On Wed, Jun 21, 2023 at 4:26 PM Gerald Henriksen <ghenriks(a)gmail.com&gt; wrote: Not really. Fedora is the basis for new RHEL major versions (e.g. RHEL 10). CentOS Stream is the next RHEL minor version (9.X). -- Ben Cotton (he/him) TZ=America/Indiana/Indianapolis https://fedoraproject.org/wiki/User:Bcotton

On Wed, Jun 21, 2023 at 5:09 PM Philip Wyett <philip.wyett(a)kathenas.org&gt; wrote: ELN is a build of (some) Fedora packages with EL-specific options, so it requires Fedora. -- Ben Cotton (he/him) TZ=America/Indiana/Indianapolis https://fedoraproject.org/wiki/User:Bcotton

Sure, but... that's the _opposite_ of the direction things are going. Previously, what happened to make a major RHEL release was: 1. Some Fedora Linux Release -> an internal bootstrap 2. ... a year or so of secret work ... 3. RHEL Beta 4. RHEL Release 5. CentOS Linux rebuild 6. Internal RHEL build process, internal work on minor release 7. RHEL updates appear in publiuc 8. CentOS Linux rebuilds of those. There's no connection to Fedora beyond the intial fork, and a lot of work done inside Red Hat without any transparency. Now, CentOS Stream brings that to the surface: 1. Fedora Rawhide continually updated 2. ELN maintained in parallel, as part of Fedora 3. At some point, ELN branched to new CentOS Stream 4. ... a year or so of CentOS Stream development in public ... 5. RHEL Beta forked from that, released 6. Work on RHEL updates visible in CentOS Stream 7. Updates appear in CentOS Stream 8. Updates released to RHEL Note that with CentOS Stream 10 / RHEL 10, step 3 here will _maintain git history from Fedora, which is a big improvement in preserving all of the incredible, valuable work from Fedora contributors. All of this is the exact opposite of Red Hat preparing to make some new base for RHEL. Additionally, this model provides a clean path for Red-Hat-opinionated decisions to differ from those we make from Fedora. Take BTRFS as an example. Or, the increase in CPU baseline. Like this: Fedora Linux: Community Space ----------------------------- * Community engineering decisions * No special code privileges due to your employer * Community-run infrastructure with RH investment, significant resources from Amazon, contributions from other companies * Community quality engineering with RH investment * Community support * No cost CentOS Stream: Shared Space --------------------------- * Red Hat Engineering decisions with community input * Pull requests from the community, approval from Red Hat engineers * Red Hat-provided and maintained infrastructure * Red Hat quality engineering with partner and community involvement * Community support * no cost Red Hat Enterprise Linux: Product Space --------------------------------------- * Red Hat Engineering decisions with customer input * Red Hat engineers and only RH engineers do the work * Red Hat infrastructure * Red Hat quality engineering (mostly done in Stream, though) * Enterprise support * Subscription, including low- and no-cost options Previously, we had a whole convoluted thing which people tried to describe in terms of MC Escher paintings. This is far better, and Fedora is in a better place. In the earlier setup, CentOS _was_ sometimes positioned as a competitor (although generally, those of us working in the actual Fedora and CentOS communities didn't have any interest in playing that game.) -- Matthew Miller <mattdm(a)fedoraproject.org&gt; Fedora Project Leader

Josh Boyer wrote: The *development process* is more open, but the production releases, which is the only thing end users are interested in, are less open! Kevin Kofler

Once upon a time, Neal Gompa <ngompa13(a)gmail.com&gt; said: Is it? At one point, there were considerable gaps in security updates; RHEL 9.x would get an update while CentOS Stream 9 (as the target for RHEL 9.[x+1]) didn't get a corresponding update for quite a while. If Stream doesn't get security updates in a timely fashion, it is not at all suitable for production use. -- Chris Adams <linux(a)cmadams.net&gt;

Once upon a time, Michael Catanzaro <mcatanzaro(a)redhat.com&gt; said: Seems like some tooling/notifications might could help with that, although that type of work is rarely interesting enough to get resource assignment in the business world (and since all of this is done behind Red Hat's curtain, there's AFAIK no path for community involvement). I guess a non-Hatter could use a dev subscription to compare RHEL content to CentOS Stream content and note differences (and file BZes I guess?). Is there any chance of having a CentOS Stream repo along the lines of Fedora's updates-testing, so that CVEs at least would have some type of available update in a timely manner? With 7 there's the fasttrack repo, but it doesn't actually seem to be used currently (and IIRC wasn't ever a "testing" type channel). -- Chris Adams <linux(a)cmadams.net&gt;

Hi, On Sat, Jun 24, 2023 at 6:09 PM Michael Catanzaro <mcatanzaro(a)redhat.com&gt; wrote: I think we should move this conversation to centos-devel mailing list. But also there is no point in -testing repo for CentOS Stream. When you build a package in CentOS Koji it gets into c9s-gate tag [1]. These packages are publicly available and if you'd like to use or test them before their RHEL part passed the internal RHEL QE, you can do that. https://kojihub.stream.centos.org/koji/taginfo?tagID=2 -- -- Aleksandra Fedorova bookwar

On Sat, Jun 24, 2023 at 6:36 PM Chris Adams <linux(a)cmadams.net&gt; wrote: Afaiu the use case we are discussing looks like: there is a CVE fix which you want to land in CentOS Stream as fast as possible. And that specific fix may be delayed because RHEL QE takes time and has to deal with their own priorities. So the fix is known, there is BZ for it and the merge request for it is also known and merged. The package is built, it is available in koji, but it sits in -gate tag and is not promoted to the -pending( which means compose, buildroot and mirrors) because it waits on RHEL QE. In this case you don't need a repo, you need just this specific build to apply it on your environment, isn't it? It is not that creation of repositories is not possible. I just think that having a repo with all of the content of -gate tag wouldn't help here. Especially since -gate tag contains also builds which failed the gating tests and therefore are not expected to be promoted ever. -- Aleksandra Fedorova bookwar

I do have packages on a RHEL9 system that do not appear in https://kojihub.stream.centos.org/koji/ - so the fix is unknown from an external view

On Sat, Jun 24 2023 at 03:26:46 PM +0000, Gary Buhrmaster <gary.buhrmaster(a)gmail.com&gt; wrote: Yes, you do not have to be a customer to use Bugzilla/Jira to report bugs.

On Sun, Jul 2 2023 at 09:53:30 PM +0000, "Smith, Stewart via devel" <devel(a)lists.fedoraproject.org&gt; wrote: It really depends. CentOS Stream does accept merge requests. With respect to security fixes in particular, I would certainly expect Red Hat would accept most merge requests that fix security problems. However, landing any change requires a relatively high amount of effort from a relatively large amount of people compared to Fedora, where packagers are in charge and things are much simpler. So whether or not your merge request will be accepted into CentOS Stream will be a business decision rather than a community decision. Factors that are outside your control will be considered (e.g. "how busy is QA team right now?") So my suggestion is to talk to the developers you see in the package changelog before submitting a merge request. Merge requests will often (hopefully even generally) be welcome, but not always. It's open source, but it's not a true community project like Fedora. For WebKitGTK specifically, I'm not interested in patching individual CVEs in CentOS Stream: it's generally much easier and safer to just always update to the latest upstream release instead. Michael

On Sun, Jul 2 2023 at 06:27:48 PM -0400, Demi Marie Obenour <demiobenour(a)gmail.com&gt; wrote: Dire emergencies like these are extremely rare, but when they do occur, everybody needs to work together to get updates out to all users ASAP. That's true for every distro. Hypothetically speaking, if I were ever unfortunate enough to be responsible for an emergency scenario like that, I'd still want enough basic QA to at least ensure that the update won't eat your disk, but such decisions would surely be handled on a case-by-case basis. In a more normal situation, updates take a few days to prepare. I really don't think there's any problem with how CVEs are handled in CentOS Stream *except* for the problem I mentioned earlier about maintainers forgetting to push package updates to CentOS Stream by mistake. We need a better process to ensure human error doesn't result in CentOS Stream missing security or non-security updates. (This impacts RHEL too, because future minor releases are built from CentOS Stream, and we don't want fixes to disappear in future releases.) Michael

On 2023-06-24 06:53, Chris Adams wrote: CentOS delayed security updates for 6-8 weeks, twice a year, every year of its entire existence, and people are still clamoring for it. Stream's delays seem trivial in comparison.  I'm not saying that delays are acceptable, just that this *apparently* isn't a major barrier for self-supported use cases.

Hi Leon, Apologies for this particular one. We thought we had everything covered in this area, but we messed up and our tests didn’t catch this before it exploded into our faces. Rest assured it wasn’t because we were trying to use the community as guinea pigs; we ourselves were surprised by the fallout, and have been working internally with the maintainers of our signing keys to get this resolved. That work is still ongoing, but we will probably delay disabling SHA-1 in PGP use until CentOS Stream 10/RHEL 10. -- Clemens Lang RHEL Crypto Team Red Hat

On Sunday, 25 June 2023 at 02:44, Kevin Kofler via devel wrote: The FOSS licenses give you the right to share the SRPMS, sans the Red Hat trademarks. Red Hat's terms of use for their subscriptions state explicitly (in several places), that: [...] This Agreement establishes the rights and obligations associated with Red Hat Products and is not intended to limit your rights to software code under the terms of an open source license. [...] So, unless you have some specific and verifiable examples, please stop spreading FUD. Regards, Dominik -- Fedora https://getfedora.org | RPM Fusion http://rpmfusion.org There should be a science of discontent. People need hard times and oppression to develop psychic muscles. -- from "Collected Sayings of Muad'Dib" by the Princess Irulan

Neal Gompa wrote: Well, another aspect that I think was not mentioned so far in this discussion is that CentOS Stream has only half the support time of RHEL, which makes it much less useful for production servers (and less advantageous over competitors' offerings such as Ubuntu LTS, which offer a similar support period as CentOS Stream). This also means that if RH is telling rebuilds to do their own backports from CentOS Stream, that is only going to help them in the first half of the lifecycle. In the second half, there are no point releases, hence also no CentOS Stream that would prepare those. So, as I understand it, the security fixes are then only going to be published through the subscription channels. At least Hetzner also offers Rocky Linux and (recently added due to customer demand) AlmaLinux. If their customers were happy with CentOS Stream, they would not do that. (For the record, I happen to be one of those customers, for a small VPS (currently still running CentOS 7) and 2 domain names. That is the only involvement I have with Hetzner.) Kevin Kofler

On Thu, Jun 22, 2023, at 11:01 AM, Matthew Miller wrote: Matthew, this is a great summary and also the understanding I currently have. It might be a good thing if this information lives in a more permanent place that I can refer people to. Perhaps something on Fedora's documentation about the Enterprise Linux ecosystem or a blogpost on either the Fedora or RedHat blogs? Regards, Simon

This was one of our key reasons to look at Fedora as an explicit upstream for the next generation of Amazon Linux. Without a feedback loop for contributions and changes, it severely limits what you may even want to incorporate, as merging this all for the next major release could be a major pain. Even trivially small things (such as bug fixes) that are beneficial to all (a random semi-recent example is making `lshw` not do a DNS lookup) weren’t *really* possible to quickly throw a pull request up for before CentOS Streams. There were other really nice properties of Fedora as well, such as each release having a mass-rebuild and thus you can be fairly sure that at any branch point, everything is quite likely to all build together. Maintaining git history is certainly fantastic from a transparency point of view. Beyond just git trees, we have had a few discussions in the Amazon Linux space on what we do with changelogs in the RPMs as well, especially with the increasing move to rpm-autospec, which means that git-merge of our own trees/rebuilds ends up with the old trick of “Release matches upstream, so it’s easy for humans” no longer that useful. There’s some balance of: - respect and refer to the amazing work done in the Fedora community - Don’t give Amazon Linux users the false impression that $random_fedora_contributor is who made the change in Amazon Linux that broke their $thing - that’s not fun for anybody. - Be clear as to the changes occurring in an Amazon Linux package update right now, for AL2023, We have an rpm-autospec-like thing at build time that will merge an `amzn-changelog` file that’s present in the git repo with the ‘%changelog’ in the SPEC file on SRPM build. The aim here is to be able to add changelog entries that are amzn specific easily, while not creating merge conflicts all the time It’d be great if we ended up with CentOS Stream and Amazon Linux doing the same thing, if only for consistency and being able to set some good expectation / good practice for distros downstream from Fedora. Maybe it’s a question for Fedora developers: how do you *want* downstream distributions to behave in this area? There’s guidelines for https://fedoraproject.org/wiki/Remix and https://fedoraproject.org/wiki/Spins_SIG along with https://fedoraproject.org/wiki/Releases/FeatureGenericLogos making some parts of downstream distros easier to do. This reminds me of the item on my TODO list of to start a discussion around how we can better have distro and package level option switches that both Fedora and downstream distros can flip on and off over time. I’ll go do that now... It’s also a good place to collaborate on some of the common base components of a Fedora based distro that has a longer support life cycle than a Fedora release gets. This may be a more significant part of the Amazon Linux story as AL2023 and beyond ages, as well as we tune how we interact with upstreams with bug fixes in an existing OS version. If I was going to put a diagram of where Amazon Linux sits in that ecosystem, it’d likely look something like this: Fedora ——> Amazon Linux \____> CentOS Stream —> RHEL

On Tue, Jul 11, 2023 at 12:49:10PM +0200, Kevin Kofler via devel wrote: SUSE too, but it is not so funny as Oracle's https://www.suse.com/news/SUSE-Preserves-Choice-in-Enterprise-Linux/ -- Tomasz Torcz “Funeral in the morning, IDE hacking tomek(a)pipebreaker.pl in the afternoon and evening.” - Alan Cox

Kevin Kofler via devel venit, vidit, dixit 2023-07-11 12:49:10: Thanks for the pointer. They really make sure that they come out as "the last standing good ones" from this. Cleverly written. And they do have valid points. It's kind of sad when you know where RedHat and Oracle are coming from, and how predictable that PR twist ist. Now, if Orcale really makes sure to pick from CentOS Stream as closely (to RHEL) as possible we can take gusses how long it will take Alma and Rocky to change upstreams, or become obsolete. Michael

Den tis 11 juli 2023 kl 19:12 skrev Mattia Verga via devel < devel(a)lists.fedoraproject.org&gt;: Can we collaborate in some way with those communities so that we support Wouldn't it make more sense to branch out from CentOS Stream if they want to be close to RHEL? /Andreas

Am 11.07.23 um 21:02 schrieb Chris Adams: An addendum to this: C8S ends 2024, while RHEL8 ends 2029 C9S ends 2027, while RHEL9 ends 2032 -- Leon

SUSE has also jumped in to say they will provide an alternative, but compatible Linux to RH. Leslie Satenstein     On Tuesday, July 11, 2023 at 06:49:38 a.m. GMT-4, Kevin Kofler via devel <devel(a)lists.fedoraproject.org&gt; wrote: Oracle has (finally – the community projects Rocky and Alma were much quicker to react) made an announcement about the situation: https://www.oracle.com/news/announcement/blog/keep-linux-open-and-free-20...         Kevin Kofler _______________________________________________ devel mailing list -- devel(a)lists.fedoraproject.org To unsubscribe send an email to devel-leave(a)lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

On 14/07/2023 08:16, Carlos Rodriguez-Fernandez wrote: Imagine Red Hat shutting down CentOS Stream in a year or two just because they [Alma, etc.] started doing rebuilds. :-D -- Sincerely, Vitaly Zaitsev (vitaly(a)easycoding.org)

Carlos Rodriguez-Fernandez wrote: So this is now a significant difference between AlmaLinux and Rocky Linux, which were previously basically two of the same. Rocky Linux is intent on keeping 1:1 compatibility by obtaining RHEL sources through undocumented (by RH), but apparently legal (at least according to Rocky), tricks: https://rockylinux.org/news/keeping-open-source-open/ and has reaffirmed this in their forums in light of the AlmaLinux announcement: https://forums.rockylinux.org/t/has-red-hat-just-killed-rocky-linux/10378... Kevin Kofler

On 2023-06-21 13:26, Gerald Henriksen wrote: I think that's ... kind of true, in a good way. I don't know if you were around at the time, but before Red Hat Linux split in to RHEL and Fedora, users had long wanted the ability to contribute to the distribution.  The split created a community distribution that developers could join, and that distribution became a much larger, high quality distribution. CentOS Stream is a stable LTS, very similar to other widely used stable LTS releases.  Developers can open pull requests for appropriate changes.  Red Hat accepts bug reports related to the product. All of this is a huge improvement over the old CentOS process.

On 22/06/2023 10:11, Daniel P. Berrangé wrote: Yet. -- Sincerely, Vitaly Zaitsev (vitaly(a)easycoding.org)

On 6/21/23 22:26, Gerald Henriksen wrote: CentOS Stream topic is still confusing to many, thus I am going to use the opportunity to mention two talks which I have provided at FOSDEM 2022 [1] and Open Infra Summit 22 [2] on the matter: [1] https://archive.fosdem.org/2022/schedule/event/centos_stream_stable_and_c... [2] https://discussion.fedoraproject.org/t/centos-stream-talk-at-openinfra-su... I also have a leaflet version [3] for those who prefer text. [3] https://gitlab.com/bookwar/centos-leaflet/-/blob/main/centos-leaflet.pdf ---- Part of the confusion comes from the fact that people refer to upstream development, Fedora development and CentOS/RHEL development using just one word - development, while in reality these are three very different activities, and all of them are required for the RHEL existence. You can not replace upstream with RHEL development, you would have to create new upstream for that. The same way you can not replace Fedora development with RHEL/CentOS Stream development, it is a very different thing and you would need to create it. The second part comes from thinking of CentOS Stream as something in the middle, between Fedora and RHEL. CentOS Stream is a rebuild of RHEL. It is a rebuild of exactly RHEL sources taken from the same git tree as RHEL builds take those sources. It is not a middle - it is RHEL. ---- So let's look at the sources story closely: 1) How it was before Stream: there was an internal git tree. RHEL Engineers would commit RHEL changes to that tree, changes would be built into RPM and SRPM. On release, RPM and SRPM would be published for RHEL customers. On that release date CentOS engineers would take the published SRPM, unpack it, and upload the content to the centos git repo. So CentOS git essentially contained the "exploded SRPMS". No git history was available. CentOS Engineer then would go to CentOS Koji and build the CentOS package from that exploded source 2) How it was after Stream but Before the announcement: There is a public git tree on GitLab.com [4] RHEL Engineers commit changes to it. RHEL engineers build CentOS package in public Stream Koji _and_ RHEL package internally from the same git commit. CentOS package becomes public, RHEL package goes into RHEL repository. [4] https://gitlab.com/redhat/centos-stream/rpms/glibc As soon as RHEL package is released, the SRPM for a RHEL package becomes available. CentOS Engineer would take that SRPM, unpack it and upload the content to CentOS Git. But the CentOS package for that RHEL SRPM has already been built weeks ago. So now we have CentOS package, which is available for weeks in Koji, its sources available for the same two weeks on GitLab [4], with proper git history, MR history, and test history. And then a there is a second set of CentOS sources (exploded rpms, no history), which are not really CentOS sources anymore, because CentOS doesn't build anything from them. 3) So what happened? - CentOS Engineers will not be producing that git repo of exploded SRPMs anymore because there is no need for them in CentOS project. - Red Hat recommends to take RHEL sources from CentOS Stream repositories because that is the actual source from which RHEL packages are built by RHEL Engineers. Can you still get access to SRPMs and create exploded sources repo - Yes. But there is no practical reason for Red Hat or for CentOS Project to maintain such a service. There is no change in Fedora or with anything related to Fedora. -- Aleksandra Fedorova, member of Fedora Council RHEL/CentOS Strem CI Engineer bookwar on Matrix

Dne 23. 06. 23 v 12:46 Leon Fauster via devel napsal(a): Please understand that (speaking of the user space packages, I cannot speak for kernel) there are no other sources then the sources in GitLab, which is publicly accessible (AFAIK). Vít

Dne 23. 06. 23 v 15:34 Michael Catanzaro napsal(a): Ok, you are right. But there are two things: 1) This was deliberate choice of maintainer, nothing else. Maintainer chosen to skip the 2.38.5 whatever the reason was 2) Does it harm anything to have the 9.3 package sooner the having RHEL 9.3 out? Is it really less stable as was claimed elsewhere in the thread? Vít

Dne 23. 06. 23 v 18:14 Vít Ondruch napsal(a): Ah, there is actually webkit2gtk3-2.38.5-1.el9_2.2 not webkit2gtk3-2.38.5-1.el9.2. I got it now. Vít

On Fri, Jun 23, 2023 at 9:35 AM Michael Catanzaro <mcatanzaro(a)redhat.com&gt; wrote: Which means equivalent fixes are in CentOS Stream and anyone wanting to recreate exactly what is in RHEL is welcome to backport that code from CentOS Stream or upstream. josh

On Fri, Jun 23, 2023, 3:20 PM Michael Catanzaro <mcatanzaro(a)redhat.com&gt; wrote: Yes, the work you do is not easy. In this particular case, there are two CVEs fixed somewhere in the Or build up a knowledge of the code base that allows one to do it themselves. I don't really have any strong opinion about this change. Just pointing I don't think it's impossible. I think it requires work, skill, and investment. josh

Yep! I (We) spend a lot of unpaid time to provide EL bug reports, helping the devs to test their fixes, until it gets into the next EL minor release. Especially when a new major EL release is GA, it has a lot of bugs that I normally do report (doing it since EL5 personally). This is sometimes only possible when having the source code to test some patches before adding them to the report. Despite the argument that the srpms are available in the portal area, I wonder if the mentioned decision had included this "tacit" input that is coming from the "community". Not having such input in combination with a reduced community will for sure have a negative impact. I'm already reading statements from Fedora maintainers of their EPEL backtracks and I can imagine that the same is happening for less visible contributions ...

https://access.redhat.com/security/updates/backporting/

Am 22.06.23 um 16:08 schrieb Stephen Gallagher: But is Red Hat still commited to open source and to the freedom of software? I feel no and feel cheated and betrayed. Ralf

On 2023-06-21 13:06, Philip Wyett wrote: I don't think this is a major change from the status quo. In the past, Red Hat has published a subset of the git repositories used to create RHEL.  They have published spec and patches used to create the current minor release of each major, but nothing from the EUS or SAP support periods.  That is, they haven't published any updates to any branch other than the latest branch they publish.  There is only one available branch at any time. Now that Stream is available, the same thing is (apparently) true.  At least, as best as I understand their announcement. There will be just one available branch, and that branch will contain the spec and patches used to create the latest packages.

The big deal is that it sends wrong signals at the wrong time. Within the last few weeks, we had out of the blue (pun intended): - Lay-off of the Fedora Program Manager - Dropping LO packages and dependencies the hard way (orphan first, announce later when the rubbles are crumbling) - Retreating from GPL's source distribution requirement to the bare minimum (or less, I'm no lawyer) In each case, the way it was done and communicated was literally begging for bad press. In the specific case of RHEL srpms, it makes life harder for EPEL packagers because you can't look at the source easily when they are problems between RHEL and EPEL packages. It matches well with RH's standard of shipping libraries without headers etc - it is easier for them and limits the scope of support contracts but makes upstream's life harder. So, the signal is either "we don't care about our upstream" or "we do not understand upstream's importance and concerns". And that is why packagers may consider dropping EPEL branches and let RH pick from Fedora what they want - at the expense of having to support it themselves. That will reduce RHEL to a pure enterprise distribution without community. Is that what their customers want? Groundhog day.

22/06/23 11:06, Matthew Miller wrote: Why should we keep contributing to EPEL? To be forced to use 16 free RHEL instances maximum? What is the advantage for us volunteer contributors? I mean, we did not do it for personal advantage, we did it to help us each other within the Enterprise Linux distros community, but this Red Hat move will kill the Enterprise Linux distros community, leaving only with RHEL, which is mostly a paid subscription distribution, let's call things with their proper name

I'm a Red Hat employed engineer, working on all Fedora, CentOS Stream and RHEL. This is what each means for me in particular (but should also be applicable in general) in practice: * RHEL - only when I'm bound by some legal requirement (embargo, etc.) I do work 'RHEL only' (not visible in CentOS stream). In practice, such work is expected to be seen in CentOS Stream once the legal barrier falls / expires. * CentOS Stream - all work (except abovementioned) for RHEL is done here. The code has been available here (for 2 years already for C9S): https://gitlab.com/redhat/centos-stream/ Are you missing anything? (codebase-wise) This means my work on RHEL is visible unlike ever before. Open to submissions via merge requests Also merge requests where I develop changes are open to examination during my development of them. (unlike anytime before) * Fedora - unlike RHEL or CentOS, this is the place where I can develop new features. I don't have this space downstream. So tuning packaging, trying out various enhancements, adopting big upstream changes, packing latest greatest upstream releases. All that will be branched to form a new RHEL one day. This is the only way for me to introduce big changes. As I see it, both RHEL and Fedora profit from that to maximum. And I don't expect this relationship to go away anytime soon. However I might have misunderstood the core of this discussion. -- Michal Schorm Software Engineer Core Services - Databases Team Red Hat -- On Thu, Jun 22, 2023 at 11:39 AM Miroslav Suchý <msuchy(a)redhat.com&gt; wrote: