Something odd happened to
git.centos.org last week. That’s the repository where Red Hat has traditionally published the source code to everything that’s a part of Red Hat Enterprise Linux (RHEL) to fulfill the requirements of the GPL license. Last week, those packages just stopped flowing. Updates weren’t being published. And finally, Red Hat has published a clear answer to why:
Red Hat has decided to continue to use the Customer Portal to share source code with our partners and customers, while treating CentOS Stream as the venue for collaboration with the community.
Sounds innocuous, but what’s really going on here? Let’s have a look at the Red Hat family: RHEL, CentOS, and Fedora.
RHEL is the enterprise Linux distribution that is Red Hat’s bread and butter. Fedora is RHEL’s upstream distribution, where changes happen fast and things occasionally break. CentOS started off as a community repackaging of RHEL, as allowed under the GPL and other Open Source licenses, for people who liked the stability but didn’t need the software support that you’re paying for when you buy RHEL.
Red Hat took over the reigns of CentOS back in 2014, and then imposed the transition to CentOS Stream in 2020, to some consternation. This placed CentOS Stream between the upstream Fedora, and the downstream RHEL. Some people missed the stability of the old CentOS, and in response a handful of efforts spun up to fill the gap, like Alma Linux and Rocky Linux. These projects took the source from git.centos.org, and rebuilt them into usable community operating systems, staying closer to RHEL in the process.
Red Hat has published a longer statement elaborating on the growth of CentOS Stream, but it ends with an interesting statement: “Red Hat customers and partners can access RHEL sources via the customer and partner portals, in accordance with their subscription agreement.” What exactly is in that subscription agreement? Well according to Alma Linux, “the way we understand it today, Red Hat’s user interface agreements indicate that re-publishing sources acquired through the customer portal would be a violation of those agreements.”
Yes, this looks like an intentional move from Red Hat to put an end to bug-for-bug compatible RHEL clones. CentOS Stream just isn’t quite the same as RHEL, and there are bugfix patches that land in RHEL and not in CentOS Stream. For what it’s worth, both Rocky and Alma have put out statements, each affirming their plans to move forward with their respective distros. But there’s obviously a scramble happening, and some uncertainty about what the future holds.
Can Red Hat do this? It’s time to put our legal caps on, remind everyone that we’re not actually lawyers, and take a look at what the licenses actually say. Specifically the GPL v2, since the kernel is the heart of the system. So first off, the basic tenant of the GPL is that if you distribute a binary program under the GPL, you must also offer the source code to go with it. What’s really interesting is the stickiness of the GPL, that any derivative works are also licensed under the GPL, and you are compelled to make the derivative source code available to anyone using your derivative program. This has been called the viral nature of the GPL, sometimes seen as a flaw, but it’s definitely in the license on purpose.
The GPL does have one more interesting bit, section 6, that stipulates that when a program is distributed, the recipients are automatically licensees, and have the same rights to copy or distribute. This section goes so far as to state, “You may not impose any further restrictions on the recipients’ exercise of the rights granted herein.” Red Hat is restricting the right of its users to share source code, so it’s imposing further restrictions, right? Somebody call Linus Torvalds, and get him to send a cease-and-desist to Red Hat? Well maybe.
Licenses Don’t Compile
Tip of that hat once again to [Simon Phipps], for the insight that licenses don’t compile down to precise meanings. Personally, I see this as an obvious GPL violation, but I’ve also seen disagreement and reasonable arguments — shout out to [jspaleta] for being that reasonable voice — that this isn’t a restriction on copying, it’s just an additional user agreement that terminates access to updates if the code is re-published.
I don’t find this a compelling argument, but it’s likely what Red Hat would argue if this ever came to a court case. I asked [Simon], who has some claim to being a Free and Open Source software expert, his take about the re-publishing restriction. His response? “That, sir, is the big question.”
This isn’t the first time Red Hat has raised eyebrows with GPL compliance either. Back in 2011, Red Hat stopped publishing kernel patches in an easy-to-use format, and just dumped the patched kernel in a huge tarball. The nicely formatted patches were available to Red Hat customers, but with the restrictions that they weren’t to be shared in that format. Was that a GPL violation?
It’s less certain, since the patches in question *were* available in the tarball. And more importantly, there was never enough damage done to any one entity to actually provoke a lawsuit over the issue. Another company, Sveasoft, pulled this trick nearly two decades ago, and even claimed that the Free Software Foundation signed off on their GPL interpretation. But the upstream developers themselves didn’t buy this at all, and the OpenWRT project publicly sent Sveasoft a notice that their license was revoked due to GPL violations. Wild times. Not all the details of how that played out were made public, but it’s notable that Sveasoft is defunct and forgotten, and OpenWRT is still thriving and publishing new releases.
So, where does that leave us? Rocky Linux and Alma Linux are scrambling, putting short term solutions in place, while making hard decisions about their long term futures. Red Hat may or may not change course or make clarifying statements. And the rest of us are waiting to see how things will settle out.
I can’t help but see parallels to the Dungeons and Dragons debacle when Wizards of the Coasts (WotC) tried to deauthorize the Open Gaming License, and every other TTRPG publisher had all-time record months as consumers abandoned ship. WotC managed to turn fate around by quickly backpedaling on that licensing decision, making the game even more open than before.
So, do you have a RHEL license, or manage purchasing at some medium or large company? Maybe it’s time to drop Red Hat a note and let them know that you really don’t appreciate their hostility towards their community, or their attempts to bend the GPL into a pretzel. And if Red Hat keeps it up? Well, I hear SLES is great.
But Red Hat’s move does raise concerns about the health of the GPL. GRSecurity has been using the same techniques for years now, and no one has stepped up to challenge that in court. That really leaves us where we started. Do business with and support those that are willing to be good community members.