Rocky Linux from CIQ – Hardened
50 comments
·March 19, 2025neilv
nazunalika
>CentOS used to be a free rebranding of RHEL.
CentOS was a binary/functionally compatible build of RHEL without the RHEL branding.
>IBM effectively cut off CentOS.
Red Hat (not IBM) made the decision to end CentOS Linux and move their focus toward CentOS Stream.
>Rocky Linux is the replacement free RHEL-compatible distro...
Rocky Linux is one of many choices for a RHEL-compatible distribution. I would also say CentOS Stream is also a viable choice. It works well from my own personal experience.
>but is higher effort to maintain than CentOS was.
Speaking as the lead of Release Engineering, it does require quite a bit of effort to maintain Rocky Linux. It can be especially time consuming during May and November when releases are scheduled, given that it's volunteer time.
As for CIQ, who knows what they offer or what it is they are actually doing with our distribution. Is it to check a box? Probably, given the way I've seen some companies act around these sorts of things. Does it offer security improvements? Who really even knows.
mananaysiempre
> Rocky Linux is one of many choices for a RHEL-compatible distribution. I would also say CentOS Stream is also a viable choice.
One of the main value propositions of RHEL (and RHL before it) is that each distro version has a fixed ABI throughout (kernel included), making it a valid compilation target for binary-only software. Neither Stream nor even Alma are that.
nazunalika
>One of the main value propositions of RHEL (and RHL before it) is that each distro version has a fixed ABI throughout (kernel included), making it a valid compilation target for binary-only software. Neither Stream nor even Alma are that.
Maybe for current point releases of RHEL and derivatives, building against CentOS Stream may not be that great of an idea. For example, EPEL has different build targets that build against RHEL or CentOS Stream to account for the differences between point releases such as libraries (especially qt libraries!) and also to make the transition easier for their users between point releases when running a dnf update on the next RHEL point release.
As a side tangent: In my opinion, I think vendors should be compiling software against CentOS Stream to ensure compatibility and validation for the next RHEL point release, which should work for the next point release of RHEL, Rocky Linux, AlmaLinux, and even Oracle Linux. I've not seen many vendors do this, though.
With that said, the differences that AlmaLinux have should not cause incompatibilities (and if there are, I can't see them being anything more than minor issues). This means that builds on an AlmaLinux build root should allow the software to still work on the others. Any of the distributions in the family should be fine as build targets.
bluedino
Also, many software vendors don't support Centos stream.
rob_c
Push off if you think Alma isn't this. The differences are miniscule and basically amount to Alma's customers preferring to have some stream back ports first effectively.
If Rocky is claiming they're better their either breaking rules or lying. And if the community believes them I'm just going to walk away and talk to the business small medium and large putting their money where it matters, not in more CIQ FUD.
spapas82
> Red Hat (not IBM) made the decision to end CentOS Linux and move their focus toward CentOS Stream.
The fact is that Red Hat killed centos a little after it was acquired by IBM. Who decided this is not something that we'll learn (or even care anyway).
randombits0
It’s unthinkable that RedHat killed CentOS without the OK from IBM.
felbane
Hey just want to take the opportunity to say thanks for your efforts with releng. I'm always pleasantly surprised by how quick and effective you folks are with getting updates built, validated, and shipped when upstream has a release.
Looking forward to Rocky 10!
mmooss
> Red Hat (not IBM) made the decision to end CentOS
I don't understand what you mean here? Wasn't Red Hat already owned by IBM when this decision was made?
carlwgeorge
The planning to swap the RHEL/CentOS relationship (i.e. CentOS Stream) long predated even the "intent to acquire" announcement from IBM, and of course the actual acquisition as well.
ndiddy
Some further context:
- Greg Kurtzer, CIQ's founder and CEO, is the creator of Rocky Linux and the president & owner of the Rocky Enterprise Software Foundation.
- Many of the Rocky Linux maintainers are CIQ employees.
- The EULA for CIQ's commercial version of Rocky Linux is just as restrictive as the terms that Red Hat used to cut off RHEL source code availability. Notably, there's a section saying that customers may not "provide, license, sublicense, sell, resell, rent, lease, share, lend, or otherwise transfer or make available the Software to any third parties, except as expressly permitted by Ctrl IQ in writing".
bschmidt917
[flagged]
mmooss
> Rocky Linux is the replacement free RHEL-compatible distro
Wasn't (isn't) there another CentOS replacement that was created around the same time? Are they still around? Are there alternatives or is Rocky pretty much it?
trod1234
You are thinking of Alma, and I believe they are still going, though a lot seemed to be up in the air.
mrbluecoat
What's up in the air?
rob_c
No, community is more stable and professional.
Frankly given I get less issues than my Rocky counterparts working 1 rack over my look of "I told you so", every time, says it all.
999900000999
>Secure All packages validated and delivered via secure supply chain from CIQ repositories.
How deep does this go.
Are they inspecting every line of code in every source repo ?
What happens when I need a package they haven't validated yet ?
owl_vision
as seen on the about page[0] "Named in honor of CentOS co-founder Rocky McGaugh"
"Gregory Kurtzer, our CEO and founder," the other CentOS guy.
liamnal
Greg is not the founder of CentOS and people need to stop believing his lies. He's said this lie so much that even he believes it.
jonathanspw
Greg kurtzer is not the founder of CentOS. This is FUD he's been regurgitating ever since tricking one of the past CentOS community managers into doing a blog post.
If you read the mailing list archives you'll see the truth.
nhanlon
Well that's certainly _one_ way to tell the story, now isn't it, Jonathan.
jonathanspw
You can't ban me here for speaking truth like you can on reddit, can you :)
Edit: also, it's literally the true version of the story. Do your own research. It's all public and logged.
client4
But is it FIPS certified?
broknbottle
carlwgeorge
That doesn't show any actual FIPS certificate numbers. Neither does the top link. If CIQ has any FIPS certificates I can't image why they wouldn't list them prominently to remove any doubt. That's what Red Hat does.
e40
How much?
rob_c
And more drama from the machine that is being the FUD created over every misstep of RHEL/IBM. And I mean misstep not evil attack on the community. CIQ is the worst of FOSS and a blight causing nonsense arguing rather than actually contributing to a better community.
mistrial9
well that is direct! but from an outsider's point of view.. Isn't the larger picture that nation-states (USA) and federated countries (EU,UK) are requiring secure, signed and authoritative packaging for binaries that are deployed for national critical infrastructure and more. The laws of the EU requiring a public register of origin for software, each binary (?) So despite the direct language there, actually it can get worse, for example hypothetical Irish casino operators make a company that is the title holder to build secure binaries to spec, and it is a massive lawyer-fest and billing machine while things accumulate. Is this possible?
null
bschmidt810
[flagged]
bschmidt917
[flagged]
Can someone confirm or fill in details?
* CentOS used to be a free rebranding of RHEL.
* IBM effectively cut off CentOS.
* Rocky Linux is the replacement free RHEL-compatible distro, but is higher effort to maintain than CentOS was.
* "Rocky Linux from CIQ" is a commercial product that is attempting to compete with RHEL, by being lower-cost essentially-RHEL while still satisfying some is-there-a-company-behind-it "compliance" checkboxes that companies require?
* "Rocky Linux from CIQ - Hardened" offers some supposed security improvements that vanilla RHEL doesn't?