đŸ Archived View for gemlog.blue âș users âș BaronHK âș 1692941732.gmi captured on 2023-09-08 at 16:19:16. Gemini links have been rewritten to link to archived content
-=-=-=-=-=-=-
IBMâs New Pejorative for People Who Use Fedora or an Enterprise Linux Clone Is âFreeloader,â and They Donât Want to Know About Security Holes.
A word that IBM and their fanboys, and remaining unpaid volunteers are bandying about lately, is âFreeloaderâ.
In IBM Red Hatâs book, anyone who isnât currently coughing up a subscription fee to use RHEL is âFreeloadingâ. Basically, they see you as a parasite.
This word doesnât just apply to a person who grabs Fedora and uses it on their laptop and never files bug reports or anything. It applies more broadly to organizations that deploy a free Enterprise Linux clone to their business because they think they can self-support.
It also applies specifically to Oracle, because even before IBM, Red Hat was already trying to portray Oracle Linux as some sort of âstolen productâ with their âUnfakeable Linuxâ marketing campaign.
Letâs talk about users. Fedora has always had a very transactional relationship with users from Red Hatâs point of view. Users were valuable as bug reporters. Weâd get this software on our daily systems for free, and in return, when something went wrong, we were ârequestedâ to file bug reports.
However, IBM doesnât value bug reports because as the new boss in town, itâs not actually interested in fixing bugs. It wants to hide them, like Microsoft, according to AlmaLinux developers who tried reporting security vulnerabilities in RHEL components.
"KnownHost CTO and AlmaLinux Infrastructure Team Leader Jonathan Wright recently posted a CentOS Stream fix for CVE-2023-38403, a memory overflow problem in iperf3. Iperf3 is a popular open-source network performance test. This security hole is an important one, but not a huge problem. Still, itâs better by far to fix it than let it linger and see it eventually used to crash a server.
Thatâs what I and others felt anyway. But, then, a senior Red Hat software engineer replied, âThanks for the contribution. At this time, we donât plan to address this in RHEL, but we will keep it open for evaluation based on customer feedback.â
[âŠ]
The GitLab conversation proceeded:
AlmaLinux: âIs customer demand really necessary to fix CVEs?â
Red Hat: âWe commit to addressing Red Hat defined Critical and Important security issues. Security vulnerabilities with Low or Moderate severity will be addressed on demand when [a] customer or other business requirements exist to do so.â
AlmaLinux: âI can even understand that, but why reject the fix when the work is already done and just has to be merged?â
At this point, Mike McGrath, Red Hatâs VP of Core Platforms, AKA RHEL, stepped in. He explained, âWe should probably create a âwhat to expect when youâre submittingâ doc. Getting the code written is only the first step in what Red Hat does with it. Weâd have to make sure there arenât regressions, QA, etc. ⊠So thank you for the contribution, it looks like the Fedora side of it is going well, so itâll end up in RHEL at some point.â
One user wrote, âYou want customer demand? Here is customer demand. FIX IT, or I will NEVER touch RHEL EVER.â While another, snarked, âRed Hat: Weâre going totally commercial because Alma never pushes fixes upstream! Also, Red Hat: We donât want your fixes, Alma!â
On Reddit, McGrath said, âI will admit that we did have a great opportunity for a good-faith gesture towards Alma here and fumbled.â
Finally, though the Red Hat Product Security team rated the CVE as ââImportant,â the patch was merged."
-ZDNet Article âAlmaLinux discovers working with Red Hat isnât easyâ
The attitude that Microsoft and IBM share in security vulnerabilities is that they donât want to touch the fix, even if someone else already wrote it, because it may cause a regression that they then have to spend time and money sorting out.
Microsoftâs attitude is so bad that they use old and insecure versions of gnupg to generate package signatures on their âLinuxâ software, but it also hardly matters because they point dnf on Fedora or RHEL to their server to get the .asc file, which means that users who have Microsoft programs on their computer can get a copy thatâs been tampered with as an âupdateâ and not have any warning, because the attacker can modify the .asc with one that they control, and put that one on the server as part of the attack.
I think itâs, frankly, frightening, that IBM admits that security patches are not one of their highest priorities in such a widely used system as RHEL.
Instead of getting caught up in the âsecurity poserâ malarkey, and buzzword bullshit bingo, like Matthew Garrett does with his nerve-grating overuse of things like âattestationâ, âTPMâ, and âroots of trustâ.
These things are not security. If the software youâre using is garbage, your security is garbage. You need to use software from people who just fix their damn bugs, and vendors who get you those patches shipped ASAP. Everything else is basically pointless.
My roots of trust are simple. Itâs on my computer, I trust it. Fuck off.
The first and last time Iâve had a computer virus, it was on Windows 98, and Chernobyl (it was set to trigger a malicious BIOS flashing until the ROM was bricked). Thankfully, I pulled it out in time.
I have never had any âLinux malwareâ, and that record is unbroken since 1998.
Seriously, patch your software, get it from a legitimate source, and donât worry too much.
If a company is like Microsoft and IBM, and doesnât want to know about security holes, they donât deserve their customers on that issue alone.
Where were we? Ah, yes. Freeloading. IBMâs open contempt for Fedora is even worse.
They are throwing out many unpaid volunteers that were doing free work for IBM Red Hat, and calling those people âFreeloadersâ, with absolutely no sense of irony, apparently. IBM gets a lot of software for free.
They stopped paying the FSF around the time Molly de Blanc and other unproductives, like Garrett (his last useful code was in the 2000s, I think, when he worked on ACPI), organized people around a defamatory petition against Richard M. Stallman, which Roy Schestowitz points out is a 70 year old man.
But IBM still pulls GNU software without paying for it. And many other peopleâs software! FREELOADERS!
Users of free clones can be future customers.
The âfreeâ developer license for RHEL, does not allow you to deploy it across your whole organization, get settled in, and then realize you need support after all.
The free clones were an ongoing source of new customers, who would often bring lots of machines with them by the time they approached Red Hat and wanted to do an in-place conversion. This was a serious amount of money.
IBM says theyâre just Freeloaders and harasses the distributions that onboard customers into the âRed Hatâ way of doing things and land them clients.
Even when they donât make sales, their product gets more marketshare, which was why they were a de facto âstandardâ.
Oracle âFreeloadingâ.
Perhaps most of all, Red Hat (pre, and post-IBM) had disdain for Oracle Linux, but Oracle didnât have compelling reasons to lure people away from RHEL wanting an identical product. Oracle is not the authoritative source of RHEL, IBM is. Whatever Oracle consumes is what IBM decided to put in there.
A customer education campaign on this subject would have been better than labeling Oracle as some sort of âstolen productâ.
Oracle is not going for exactly the same customers. They have their own âUnbreakable Enterprise Kernelâ that is really quite different already, and which boots by default.
UEK is modified to run Oracle-type workloads better than the RHEL Compatible Kernel, but despite this, the compatibility issues with it are rare.
The Linux kernel version does not directly interact with very many programs in userspace so as long as you have a stable kernel thatâs getting serviced by someone who knows what theyâre doing, youâre probably going to be fine running the RHEL userspace on top of it, which makes IBMâs decision to obscure their kernel all the more bizarre.
The future of RHEL clones is not entirely under IBMâs control anyway.
Already, an alliance (Open Enterprise Alliance Association) of SUSE, Oracle, and CIQ (sponsor of Rocky Linux), have come together to make a âcommonsâ out of the Enterprise Linux source code.
Ironically, the allianceâs Web site pokes fun at IBM.
âThe Community Repository for Enterprise Linux Sources No subscriptions. No passwords. No barriers. Freeloaders welcome.â
Essentially, IBM has succeeded only in angering a great many people with their antics including washing their hands of Fedora this week, and spurred their competitors into an alliance to reduce the work of maintaining competing RHEL clones.
This has all been so very stupid and avoidable.
The media (bribed) has been focusing on this âAIâ nonsense between Microsoft and IBM, but all it will ever do is cost IBM money.
IBM decided to throw away an actual product, and company, that it spent a considerable amount of money acquiring, in the garbage, and pivot to running like some idiotic San Francisco cash furnish with an account at the Bank of Silicon Valley.
It will not end well for them if they proceed.