Chris Tankersley

Thoughts on Red Hat and the GPL Situation

Posted on 2023-07-01

On June 23rd, 2023, Red Hat announced that "CentOS Stream will now be the sole repository for public RHEL-related source code releases.". This set off alarm bells for many people, including Jeff Geerling. Jeff posted a great video that summarizes what all of this means, but for those of you that have not seen the video or read any commentaries on the articles what does all of this mean?

Why Are There Multiple Versions of Linux?

The ecosystem around Linux is built upon the idea of sharing software. The Linux project produces what is called a Kernel, or a program that exists at the core of an operating system to run everything else. The kernel itself needs software to run alongside it, which is usually termed "userland software." This includes things like text editors, web browsers, desktop managers, and essentially everything except super low-level things like hardware access. All of this software is grouped together to create a "distribution," and it really is nothing more than a collection of software with no more commonality than the use of the Linux kernel. You can swap out the kernel or the software and (generally) everything is fine. Collectively this is called a "distribution."

This is a little bit different than operating systems like FreeBSD, where the kernel and software are packaged together as a singular source. You install a version of FreeBSD which has a specific kernel and set of software, and something else like OpenBSD has its own kernel and set of software. Proprietary operating systems like Windows and macOS work this way as well.

The Linux ecosystem has spawned a series of distributions that are based on other distributions. Ubuntu is based on Debian, as is Linux Mint. Why does this happen? Usually, because one distribution has restrictions some users do not like. Debian tends to heavily value stability so has a very strict policy for upgrading packages, making many Debian packages based on older code. Ubuntu has a much more relaxed policy but uses Debian packages as a base. PopOS! builds on top of Ubuntu as Ubuntu is newer than Debian, and came into being because Canonical decided to stop work on Unity, the window manager Ubuntu used to use. It now focuses on supporting the hardware that System76 builds and has a different policy for non-free software than Debian or Ubuntu do.

In the case of Red Hat, the flow of code works differently. The base distribution for Red Hat is Fedora, which includes the most bleeding edge code. As code is validated as stable and decisions are made on versions, this flows into CentOS Stream. CentOS Stream is eventually locked down to specific packages and released as Red Hat Enterprise Linux, which has a very long support lifecycle and therefore is considered very stable. The issue people have with using RHEL is the cost, as RHEL is a commercial product that includes support.

Almost all software distributed for Linux is considered "Open Source," which means that raw source code for the software is made available to just about anyone. This allows users to modify software any way they see fit, and distribute those changes to other people. This is accomplished through a variety of open-source licenses, which I've talked about before, and in most cases, this source code is easy for people to access. The internet has made it easy to distribute source code through sites like GitHub or GitLab, and running a standalone source code repository or even an FTP server with source code are ways that distributions have also supplied source code.

Red Hat used to provide source code as a git repository that they hosted. Users could download the source code and compile the packages themselves, and if they did you would have a copy of RHEL without any RHEL branding. This brought into being CentOS, which used to be a third-party distribution based on RHEL source code. Users could download a CentOS release and could be safe in the knowledge that something like CentOS 6.3 was compatible with RHEL 6.3, and was completely free (as in cost). You did not get support like you would if you purchased RHEL through Red Hat directly, but many users did not or could not afford a full Red Hat license. All of this was legal thanks to how open-source software license work.

Consolidation

In 2014 Red Hat acquired the CentOS project but promised that nothing would change. In 2020, however, Red Hat announced that CentOS as a project would be discontinued and in 2021 would move to a rolling, testing release for RHEL. This meant that CentOS would be more stable than Fedora, but would not guarantee to be 100% compatible with RHEL as it would become what amounted to "the next version" of RHEL at all times. In response to this other distributions popped up like Rocky Linux and AlmaLinux to fill the gap that older CentOS releases filled. During this entire time, we also had Oracle Linux, a second commercial distribution based on RHEL source code and operated by Oracle Corporation.

The change announced by Red Hat now means that projects like Oracle Linux, Rocky Linux, and AlmaLinux now do not have direct source code access to RHEL, and just CentOS Stream. That means they cannot promise exact compatibility for the current versions of RHEL, but just "the next version," and since CentOS Stream has the potential to not be as stable they cannot promise the stability that RHEL provides. They can no longer fill the gap that some users wanted them to fill. If users want RHEL, they will have to become a customer of Red Hat.

Why Do This?

It is clear that Red Hat clearly wants to make more people pay for access to RHEL, and sees these derivatives as lost sales. In many cases though the reason users went with CentOS originally, or free alternatives like Rocky or AlmaLinux, was because the pricing structure supplied by Red Hat did not work. A license for a single server started at $349 and that includes no support, is restricted to physical (not virtual) servers, cannot be combined with any other RHEL licenses, and is labeled as not production ready. This then means for a "production ready" license you need to spend at least $799. Oh, and these are yearly subscription licenses.

For many users, this is not economical. Why pay $349 a year for a license with no support when you could just use Rocky or AlmaLinux instead? If these derivatives did not exist users would just use some other stable distribution like Debian or SUSE. RHEL is treating RHEL alternatives as some sort of piracy situation where each install of Rocky equates to a sale that was "stolen."

In response to a post on LinkedIn by Jeff Geerling Mike McGrath, Vice President of Core Platforms at Red Hat, confronted the term "freeloaders."

Finally, I wanted to say something about the term "freeloaders" I've seen many use it. This is a mostly internal term we have at Red Hat, it looks like at some point it slipped out in the public. So what does it mean? A freeloader is when a large enterprise business has 20 RHEL licenses, 150,000 community rebuild systems, and sometimes hundreds of user accounts and hundreds of kbase searches per month. It's not the enthusiasts, it's not the hackers and coders, it's not the academics, and it's not the people that use rebuilders because they can't afford it. We really try not to use the term, but when we do, it's about the large companies that can afford to pay but don't.

-- Mike McGrath, 2023

So to coerce large users who could pay they went with a solution that kills access to all non-paying customers including the users who they claim are not the problem.

How Can They Do This?

Most people coming into this ask how Red Hat can legally do this. Isn't almost all the source code used and published by Red Hat some variation of the GNU Public License, which requires the source code to be made available? Yes, yes it is. Then how can they lock access behind a paywall?

The GPL specifies that if you receive a compiled version of a piece of software, say in an RPM or DEB package, the packager must allow you access to the source code upon request. They are not required to ship the source with the binary but must make it available as conveniently as possible for a user who requests it. There is no requirement that the source be available for non-users or every person on the planet, or that the source code be available in a format that is easy to download and consume. This allows GPL software to be sold commercially and is all totally within the guidelines of the GPL. Red Hat is only required to give source code to users, which they may deem as people who have paid for RHEL, and only when they request it.

The second argument comes up with the fact that to be a RHEL customer, you must agree to a secondary End User License Agreement. This EULA imposes additional restrictions on how you can use the software, such as limiting installation to physical hardware, and includes provisions for revoking user subscriptions and accounts if a user shares RHEL source code. The GPL, however, states that a developer cannot impose any additional limitations above-and-beyond what is in the GPL. How do they get away with this?

Simple - the GPL still allows this. The GPL is singularly focused on making sure that software that you receive has a list of freedoms, including the ability to be modified and shared, and forcing the developer to make those modifications and sources available. Nothing in the additional EULAs and agreements stops this from happening. If I were to sign up for a RHEL subscription, download all the source code, and redistribute it, I am allowed to do so under the GPL. I could not be sued for this or be considered in breach of the license.

What the GPL does not provide, nor care about, is continued access to other software. If you purchase software from a vendor and it includes GPL software, the vendor is under no obligation to supply you with future or past software. If you purchased "Accounting Software v1.45", the vendor is only required to give you source access to v1.45 of that software. They are under no obligation to give you access to 1.44 or 1.46. All the vendor has to legally do is supply you with the source for the software that was delivered to you. If you do something that causes them to no longer consider you a customer and, therefore, stop receiving the software, they are under no obligation to give you access to the software in the future.

The GPL does not provide perpetual access to software, it only provides source access to a binary distribution you received. It does not account for and therefore does not differentiate, subscriptions or single transaction purposes. So Red Hat is entirely within its rights to restrict source code from non-users, and if you do something to cause yourself to no longer be a customer, Red Hat is under no obligation to continue to give you anything more than the source code for binaries you have already received. They are only obligated to give you the source code for the software you have already received.

Letter of the Law vs Spirit of the Law

There is a concept of "Letter of the law vs the Spirit of the Law" which is the idea that laws can be interpreted in two ways - a strict interpretation of law based on the wording, and a looser interpretation based on the intent of a law. This exists because some laws a written in a very vague way that can cause unintended consequences, so the safest way to interpret a law is by the actual verbiage of that law. In many cases, very innocuous laws can become very harmful depending on how the law itself is read.

Many people, especially in the age of the internet, look at the GPL from the "spirit of the law" side. The GPL is designed as a way for code to be forever shareable, and attempts to lock code down are frowned upon. Thanks to TiVo, the GPL v3 was rewritten in such a way to close loopholes that large corporations have found in wrapping GPL code so as to not provide source access to end users. The point of the GPL is to make sure the software source is available to everyone.

The disconnect is that this is not how the license is written. The GPL does not directly care for the end user or the developer. The GPL treats software as an entity with inherent rights, one of those being that software must be "free" in a liberty sense. It must be free to be modified, and users should have the freedom to share those modifications. Nothing that Red Hat is doing is infringing on that letter of the law.

There is an argument that they are in violation of the spirit of the law. Considering that for decades the source code for Red Hat, then Red Hat Enterprise Linux, Fedora, and now CentOS Stream have been available it rings a bit hollow that this is a "technical" decision and it is too hard to continue to make the source available. The source code for RHEL is being stored in version control somewhere, and it is conceivable that Red Hat could continue to make it available, just like the CentOS Stream source is made available. What has actually changed in the landscape that made Red Hat decide on this change?

I would say it is IBM, and it want to squeeze as much revenue from any product as possible. Nothing more, nothing less. Red Hat is in their full legal right to do what they are doing, but from an ethical standard they are ignoring what makes open source open source.

Where to go From Here?

Do the same thing that we have continued to do since the dawn of software - refuse to accept what corporations want and do what makes sense for you. For me, even though I have loved Fedora and spent years running RHEL and CentOS servers in businesses, I will be switching to something else. My current plan is to investigate NixOS as I am intrigued by not only the immutability aspect but also the reproducibility aspects. For servers, I may switch back to Debian, or potentially move to NixOS.

For you, do not forget that there are multiple alternatives out there that may better align with your ethics. If you want stability, look at OpenSUSE or Debian, or continue to support Rocky Linux or AlmaLinux. If you want a good desktop, there is always Ubuntu, Arch, or dozens of others that focus on specific niches like gaming or productivity.

Vote with your wallet and your downloads.


Comments