Hacker News new | past | comments | ask | show | jobs | submit login
Tell HN: Red Hat reject AlmaLinux CVE patch to CentOS Stream: no customer demand
18 points by profwalkstr on July 19, 2023 | hide | past | favorite | 8 comments
In an unexpected and surprising move, contrary to what Red Hat has been saying lately to the community about CentOS Stream collaboration and rebuilders, Red Hat will reject patches to CVE issues, developed by downstream contributors, in CentOS Stream citing "no customer demand".

Link to CentOS Stream Gitlab of the AlmaLinux CVE patch commit: https://gitlab.com/redhat/centos-stream/rpms/iperf3/-/merge_requests/5

Discussion going on Reddit: https://www.reddit.com/r/AlmaLinux/comments/1544w8b/red_hat_refuses_almas_cve_patches_to_centos/




The headline is incorrect, this has NOT been "rejected".

This is what the initial response said:

> Thanks for the contribution. At this time we don't plan to address this in RHEL but we will keep it open for evaluation based on customer feedback.

Carl George followed up on /r/almalinux with this:

> The request is still open and has not been rejected. The CVE hasn't even gotten a severity rating yet. So maybe tap the breaks and see how it plays out. Just like in any other open source project, asking for contributions does not automatically guarantee that every contribution will be merged.

It is entirely possible that this will end up being merged within a week if it is judged a serious security issue, but until then it's just "a CVE that someone filed", which doesn't necessarily mean much.

Disclosure: I work for Red Hat.


That's a rejection.



What a brain dead reply.

What's so difficult about merging a patch that fixes a CVE?

You should genuinely be embarrassed at this stupid attempt to justify Red Hat's incoherent policies.


https://i.redd.it/5a55lysqeddb1.png

The CVE had not received any analysis or ratings at the time. Now it has, and the patch has been merged.


My few experiences with RH support/engineering have been universally bad. Each time they basically said, well, that won't get fixed since the fix for that behavior wasn't patched until a later feature release.

Support means fuckall when they don't care or their timelines are measured in quarters and years. It's why when someone says "oh, you are paying for support" I just laugh at them. The tens of thousands of dollars we paid per year for RHEL would have been infinitely better utilized for supporting upstream projects and their developers.


Nice ... This is actually a precedence to ignore all RedHat and RedHat based distros ...


This is a great opportunity to not pile on Red Hat and instead let things play out for 48 hours before dropping hot takes.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: