Feeds

Red Hat: 'Yes, we undercut Oracle with hidden Linux patches'

But CentOS will live, CTO tells El Reg

  • alert
  • submit to reddit

Seven Steps to Software Security

Red Hat has changed the way it distributes Enterprise Linux kernel code in an effort to prevent Oracle and Novell from stealing its customers, making it more difficult for these competitors to understand which patches have been applied where.

Some have speculated that the change is designed to make it harder for Oracle as well as the open source CentOS project to build their own Linux distributions. But Stevens says this is not the case. He says the change is meant to hamper Oracle and Novell's ability to offer support to customers who are already running Red Hat Enterprise Linux (RHEL).

"We made the change, quite honestly, because we are absolutely making a set of steps that make it more difficult for competitors that wish to provide support services on top of Red Hat Enterprise Linux," Red Hat chief technology officer Brian Stevens tells The Register, before naming those competitors. "Today, there are two competitors that I'm aware of that go to our customers directly, offering to support RHEL directly for them...Oracle and Novell."

In essence, Red Hat is trying to hide information from these competitors that is essential to providing support for RHEL specifically. "What we're trying to impede is competitors that come to customers who are already running RHEL under subscription from Red Hat and saying 'Don't pay Red Hat anymore, pay us, and don't make any changes to your systems'," Stevens says.

He insists that the change does not violate either the letter or the spirit of RHEL's GPL open source license. "We were very careful that what we've done does not impede what our customers need to accomplish or what the community needs to accomplish." And he says that the change would not really hamper the development of other Linux distros, including CentOS.

"We haven't at all restricted CentOS's ability to grab source code and recompile it and clean-out trademarks and package it. It's just some of the knowledge of the insides that we're hiding," he explains. One longtime CentOS developer agrees.

"I'll not lose sleep on the matter," CentOS co-founder Russ Herold tells The Reg.

In November, with the release of Red Hat Enterprise Linux 6, the company released its kernel package with all patches pre-applied. "In the past, we distributed the kernel as a base file and then a set of add-on patches that accompany it. Then when you did a build, the build process automatically applied all those patches to the kernel file," Stevens says. "Now, we integrate those patch files directly into that kernel. We do the first part of the build process prior to distribution."

This was recently noticed by kernel-community member and LWN editor Jonathan Corbet, who took issue with the change, calling Red Hat's package "obfuscated" kernel source code.

"Distribution in this form should satisfy the GPL, but it makes life hard for anybody else wanting to see what has been done with this kernel," Corbet wrote. "Hopefully it is simply a mistake which will be corrected soon." Others speculated that the move would undermine not only Oracle's Unbreakable Linux, but also CentOS. Both are based on RHEL.

CentOS is meant to be a RHEL clone. Whereas the compiled bits of Red Hat Enterprise Linux are only available under a Red Hat paid subscription, CentOS is completely free.

"The changes will make work harder for distributions such as CentOS, the community-built Linux distribution ... based on Red Hat's sources," H Online said. "CentOS is built from the RHEL source by a limited number of volunteers and Red Hat's change in policy will mean more work for them unless more volunteers or other companies step in and provide them with assistance."

We heard similar noises from an experienced Linux kernel developer. He said that Red Hat's change was like shuffling all the cards in an old fashioned Dewey Decimal library file system – the card you want is still there, but finding it is no easy task – and that this would cause problems for CentOS, which is an economic threat to Red Hat.

But CentOS founder Russ Herold insists the change is not a big issue. "Private local trial builds of the released RHEL 6 sources by me and others have proceeded with no major problems. I just do not see that the changes as some earth-shattering change. I just think [the patches will be] incrementally more difficult to figure out," he says.

"Nothing in Red Hat's new approach prevents a person from running a local version-control system, containing the pristine kernel at point A, and the Red Hat variant which we might call point B. Then one runs a 'diff' in that version-control system between A and B, and starts reading the diffs to see what is happening. Over time, both the pristine kernel, and the patched Red Hat versions will vary, and one will get a sense for which 'diff' parts matter, and which are cosmetic cleanups."

Other distros will not be affected, Red Hat's Stevens says, because the company distributes its kernel changes upstream as well. "The work that we've done should not impede companies from building their own versions of Linux and supporting those for their customers," he says. "All the code we deliver through RHEL is out there. In most cases, the changes that go into RHEL. We already distribute into the upstream kernel. We have an upstream-first policy, where we're developing openly and then later integrating into our tree and then delivering it. So it shouldn't at all impede the community or anybody that's in the business of competing on that."

Red Hat, he reiterates, is trying to keep RHEL-specific knowledge away from Oracle and Novell. With past RHEL kernel-code distributions, the patches mapped to articles in Red Hat's knowledge base. "It makes competitors do heavy lifting," he says. "If you want to support RHEL, remove the trademarks, and do some heavy lifting. If nothing else, it causes competitors to have to invest."

This won't hamper CentOS, he says, because CentOS isn't in the support business. "The code is still available. It's just more difficult to support the distro as a commercial entity. CentOS is not in the support business."

Oracle and Novell are in the support business. And whatever collateral damage was caused by Red Hat's change in policy, one thing is for sure. On some level, it will indeed be more difficult for Oracle and Novell to pilfer the company's customers. ®

Mobile application security vulnerability report

More from The Register

next story
Apple fanbois SCREAM as update BRICKS their Macbook Airs
Ragegasm spills over as firmware upgrade kills machines
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
NO MORE ALL CAPS and other pleasures of Visual Studio 14
Unpicking a packed preview that breaks down ASP.NET
Captain Kirk sets phaser to SLAUGHTER after trying new Facebook app
William Shatner less-than-impressed by Zuck's celebrity-only app
Cheer up, Nokia fans. It can start making mobes again in 18 months
The real winner of the Nokia sale is *drumroll* ... Nokia
EU dons gloves, pokes Google's deals with Android mobe makers
El Reg cops a squint at investigatory letters
Chrome browser has been DRAINING PC batteries for YEARS
Google is only now fixing ancient, energy-sapping bug
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.