Back in January 2024 CVE-2024-1086 was published. Most distros picked up patches for this pretty quickly but unfortunately RHEL and subsequently AlmaLinux (along with other downstreams), lagged behind. Keeping in mind that AlmaLinux no longer strictly follows RHEL 1:1, it begs the question of why this wasn’t patched sooner. The simple answer is that with regard to doing our own patching outside of what Red Hat does we are still figuring out what that looks like.
WARNING: This post is very image-heavy with full-res images.
Last week I had the opportunity to attend Fedora’s annual Flock event in Cork, Ireland. Flock is unique among conferences that I attend for/with AlmaLinux because it is 100% developer, contributor, and community-focused. There are no booths, no exhibitors, and little to no corporate influence. As a result, it’s a very different type of experience for me compared to other conferences.
The recent news of Red Hat’s decision to stop publishing sources on git.centos.org and its follow-up with quotes like “we have determined that there isn’t value in having a downstream rebuilder” has sent shockwaves across the open source community. Many are calling for Red Hat’s head on a pike, and to the contrary many support Red Hat’s decision.
Red Hat has made its position clear, many Red Hat employees have taken to Twitter to express their opinions, and the community has responded as well.