Rocky Linux from CIQ – Hardened
53 comments
·March 19, 2025neilv
nazunalika
>CentOS used to be a free rebranding of RHEL.
CentOS was a binary/functionally compatible build of RHEL without the RHEL branding.
>IBM effectively cut off CentOS.
Red Hat (not IBM) made the decision to end CentOS Linux and move their focus toward CentOS Stream.
>Rocky Linux is the replacement free RHEL-compatible distro...
Rocky Linux is one of many choices for a RHEL-compatible distribution. I would also say CentOS Stream is also a viable choice. It works well from my own personal experience.
>but is higher effort to maintain than CentOS was.
Speaking as the lead of Release Engineering, it does require quite a bit of effort to maintain Rocky Linux. It can be especially time consuming during May and November when releases are scheduled, given that it's volunteer time.
As for CIQ, who knows what they offer or what it is they are actually doing with our distribution. Is it to check a box? Probably, given the way I've seen some companies act around these sorts of things. Does it offer security improvements? Who really even knows.
mananaysiempre
> Rocky Linux is one of many choices for a RHEL-compatible distribution. I would also say CentOS Stream is also a viable choice.
One of the main value propositions of RHEL (and RHL before it) is that each distro version has a fixed ABI throughout (kernel included), making it a valid compilation target for binary-only software. Neither Stream nor even Alma are that.
nazunalika
>One of the main value propositions of RHEL (and RHL before it) is that each distro version has a fixed ABI throughout (kernel included), making it a valid compilation target for binary-only software. Neither Stream nor even Alma are that.
Maybe for current point releases of RHEL and derivatives, building against CentOS Stream may not be that great of an idea. For example, EPEL has different build targets that build against RHEL or CentOS Stream to account for the differences between point releases such as libraries (especially qt libraries!) and also to make the transition easier for their users between point releases when running a dnf update on the next RHEL point release.
As a side tangent: In my opinion, I think vendors should be compiling software against CentOS Stream to ensure compatibility and validation for the next RHEL point release, which should work for the next point release of RHEL, Rocky Linux, AlmaLinux, and even Oracle Linux. I've not seen many vendors do this, though.
With that said, the differences that AlmaLinux have should not cause incompatibilities (and if there are, I can't see them being anything more than minor issues). This means that builds on an AlmaLinux build root should allow the software to still work on the others. Any of the distributions in the family should be fine as build targets.
bluedino
Also, many software vendors don't support Centos stream.
rob_c
Push off if you think Alma isn't this. The differences are miniscule and basically amount to Alma's customers preferring to have some stream back ports first effectively.
If Rocky is claiming they're better their either breaking rules or lying. And if the community believes them I'm just going to walk away and talk to the business small medium and large putting their money where it matters, not in more CIQ FUD.
spapas82
> Red Hat (not IBM) made the decision to end CentOS Linux and move their focus toward CentOS Stream.
The fact is that Red Hat killed centos a little after it was acquired by IBM. Who decided this is not something that we'll learn (or even care anyway).
randombits0
It’s unthinkable that RedHat killed CentOS without the OK from IBM.
felbane
Hey just want to take the opportunity to say thanks for your efforts with releng. I'm always pleasantly surprised by how quick and effective you folks are with getting updates built, validated, and shipped when upstream has a release.
Looking forward to Rocky 10!
mmooss
> Red Hat (not IBM) made the decision to end CentOS
I don't understand what you mean here? Wasn't Red Hat already owned by IBM when this decision was made?
carlwgeorge
The planning to swap the RHEL/CentOS relationship (i.e. CentOS Stream) long predated even the "intent to acquire" announcement from IBM, and of course the actual acquisition as well.
ndiddy
Some further context:
- Greg Kurtzer, CIQ's founder and CEO, is the creator of Rocky Linux and the president & owner of the Rocky Enterprise Software Foundation.
- Many of the Rocky Linux maintainers are CIQ employees.
- The EULA for CIQ's commercial version of Rocky Linux is just as restrictive as the terms that Red Hat used to cut off RHEL source code availability. Notably, there's a section saying that customers may not "provide, license, sublicense, sell, resell, rent, lease, share, lend, or otherwise transfer or make available the Software to any third parties, except as expressly permitted by Ctrl IQ in writing".
the_real_swa
https://ciq.com/legal/eula/rocky-linux-from-ciq/
" .... The license granted in this Section 4 is conditioned upon Customer’s and its Authorized Users ’compliance with this Agreement. To the extent that the Software provided to you is not under an open source license, ...."
missed that part?
Now check the RHEL EULA wrt distributing the SOURCES of the FOSS based binaries.
ndiddy
Welcome to Hacker News, I'm glad my comment encouraged you to join the site :)
RHEL's EULA has a similar sentence, "This Agreement establishes the rights and obligations associated with Subscription Services and is not intended to limit your rights to software code under the terms of an open source license." That's what I meant by "just as restrictive". Both services are subscriptions where continued access to the software provided by the subscription is conditional on the subscriber not giving third parties access to the service. CIQ's EULA also says that subscribers may not "access the Software in order to build a competitive product or services", which seems ironic considering their business model.
mmooss
> Rocky Linux is the replacement free RHEL-compatible distro
Wasn't (isn't) there another CentOS replacement that was created around the same time? Are they still around? Are there alternatives or is Rocky pretty much it?
trod1234
You are thinking of Alma, and I believe they are still going, though a lot seemed to be up in the air.
mrbluecoat
What's up in the air?
rob_c
No, community is more stable and professional.
Frankly given I get less issues than my Rocky counterparts working 1 rack over my look of "I told you so", every time, says it all.
999900000999
>Secure All packages validated and delivered via secure supply chain from CIQ repositories.
How deep does this go.
Are they inspecting every line of code in every source repo ?
What happens when I need a package they haven't validated yet ?
owl_vision
as seen on the about page[0] "Named in honor of CentOS co-founder Rocky McGaugh"
"Gregory Kurtzer, our CEO and founder," the other CentOS guy.
liamnal
Greg is not the founder of CentOS and people need to stop believing his lies. He's said this lie so much that even he believes it.
realgmk
I don't appreciate being called a liar and I am happy to debate this with anyone else who was actually there.
jonathanspw
Greg kurtzer is not the founder of CentOS. This is FUD he's been regurgitating ever since tricking one of the past CentOS community managers into doing a blog post.
If you read the mailing list archives you'll see the truth.
nhanlon
Well that's certainly _one_ way to tell the story, now isn't it, Jonathan.
jonathanspw
You can't ban me here for speaking truth like you can on reddit, can you :)
Edit: also, it's literally the true version of the story. Do your own research. It's all public and logged.
realgmk
Why do you always take every opportunity you can to try and discredit me on this? Anytime someone mentions me, boom, there you are, in every social media, everywhere, being the first to try to discredit to me. As a spokesperson for a competing project, I'd expect a higher level of decency than spreading FUD like this.
I'd be happy to discuss and debate this with you, but you weren't actually there. I tell you what, go find someone else who was actually there at that time, and I'd be happy to discuss it with them publicly.
client4
But is it FIPS certified?
broknbottle
carlwgeorge
That doesn't show any actual FIPS certificate numbers. Neither does the top link. If CIQ has any FIPS certificates I can't image why they wouldn't list them prominently to remove any doubt. That's what Red Hat does.
rob_c
And more drama from the machine that is being the FUD created over every misstep of RHEL/IBM. And I mean misstep not evil attack on the community. CIQ is the worst of FOSS and a blight causing nonsense arguing rather than actually contributing to a better community.
mistrial9
well that is direct! but from an outsider's point of view.. Isn't the larger picture that nation-states (USA) and federated countries (EU,UK) are requiring secure, signed and authoritative packaging for binaries that are deployed for national critical infrastructure and more. The laws of the EU requiring a public register of origin for software, each binary (?) So despite the direct language there, actually it can get worse, for example hypothetical Irish casino operators make a company that is the title holder to build secure binaries to spec, and it is a massive lawyer-fest and billing machine while things accumulate. Is this possible?
null
gbraad
Oh wait, it is a commercial offering ... Hardened? What do they actually do besides repackaging. I fail to see what this provides over RHEL or even AlmaLinux. They will always be a downstream/derivative who does not really engage with the upstream.
e40
How much?
Can someone confirm or fill in details?
* CentOS used to be a free rebranding of RHEL.
* IBM effectively cut off CentOS.
* Rocky Linux is the replacement free RHEL-compatible distro, but is higher effort to maintain than CentOS was.
* "Rocky Linux from CIQ" is a commercial product that is attempting to compete with RHEL, by being lower-cost essentially-RHEL while still satisfying some is-there-a-company-behind-it "compliance" checkboxes that companies require?
* "Rocky Linux from CIQ - Hardened" offers some supposed security improvements that vanilla RHEL doesn't?