CentOS bills itself as an alternative to RHEL or Novell's SUSE Linux Enterprise Server, but can you trust it to run your business?
The CentOS project released CentOS 5.6 on Friday April 8 a mere five days short of three months since Red Hat released Red Hat Enterprise Linux 5.6. Meanwhile CentOS 5.x users have been without security updates, and CentOS 6 probably won’t roll in until RHEL 6 hits the six-month mark. Can the CentOS project be relied on for anything but hobby usage?
Once upon a time, the CentOS project looked like a great alternative to RHEL or Novell’s SUSE Linux Enterprise Server for small companies or organizations that had little money to pay subscription fees. Binary compatibility with RHEL but a small lag in updates and no support — not a bad deal for cash-strapped organizations and users who want to be familiar with RHEL but don’t want to shell out upwards of $350 a year just for a RHEL subscription.
The project, on its front page, says that it’s “enterprise-class,” and says it has advantages over other “clone projects” thanks to “quickly rebuilt, tested, and QA’ed errata packages” and “developers who are contactable and responsive.” Let’s look at these claims in the light of recent CentOS activity.
Enterprise-class is partially true, as the project takes great pains to be binary compatible with RHEL. So let’s give half points for that one. The other half of “enterprise-class” is that updates arrive in a timely fashion, which is notably false for the 5.x series. If I understand correctly, there have been a handful of updates prior to the release of CentOS 5.6 for the 5.x series — but nothing else. So, if you consider timely updates a requirement for “enterprise-class,” we can count CentOS out now.
The same goes for the claim of “quickly rebuilt… errata packages.” Unless the definition of “quickly” has changed drastically in the last few years, this is out the window.
As for developers who are contactable and responsive — well, you can contact them, and they might even respond. Well, the project leader — Karanbir Singh — didn’t bother responding when I sent him questions a few weeks ago asking what the status was for 6.0 and why it’s taking longer than prior releases. It’s been sort-of addressed on the CentOS list when other people have asked about the release, but I was hoping to get an official response for publication. No dice.
If you read through the developers list, what you see is a very small team of core developers that seem to have very little interest in expanding the crew or having an open project. The team has gotten increasingly defensive as the releases have gotten later and later, though now that 5.6 is out the door I see a little softening and searching for feedback on the part of Singh. But as one poster said “you can’t expect positive feedback and mailbox full of scripts after many weeks of ‘you don’t like it, go aways.’”
In short — the community has good reason to have lost faith in the CentOS team at this point, as the CentOS folks have basically been very poor at communicating with the larger community that depends on them. It doesn’t help to have a member of the CentOS team telling people CentOS is for the community… it is not BUILT by the community. (Emphasis mine, caps theirs.)
Nobody Got Fired for Buying IBM: You Might for Deploying CentOS
You know the old saying, “nobody ever got fired for buying IBM”? I don’t know if that’s true or not — seems likely to me that somebody, somewhere may have been fired for buying IBM in its rather lengthy history, but as a rule it’s a good call. And it’s quite likely that people have been laid off to make room in the budget for an IBM purchase, but I digress…
IBM might be pricey, it might not be sexy, but you can count on it. On the other hand, if you’re betting your job on CentOS, and some admins are, you might want to think twice.
Imagine your boss coming into the office and after reading about a major vulnerability in the Linux kernel that affects RHEL. Now, imagine explaining to your boss that even though Red Hat patched the vulnerability three weeks ago, you haven’t updated the company’s servers — and you don’t have any idea when you’ll be able to. When will the CentOS team release an update? No idea, and asking on the list just draws flames from the CentOS developers. Can we help? No, go away. Don’t like it, go elsewhere.
CentOS is a volunteer project, and the team that runs CentOS can stick to any schedule they want to — or not, as the case may be. But the project does make claims in a roundabout way about its suitability for enterprise use and “quickly built” updates. They might want to see to the language on the site if they wonder why users are getting bent out of shape when updates are months in the making. (The FAQ says “our goal is to have individual RPM packages available on the mirrors within 72 hours of their release” — and they’re quite a ways away from that.)
If CentOS is to remain even remotely relevant, it’s going to need to change the way the project is structured and find a few more volunteers to handle the load. And that’s going to require a change of attitude on behalf of those running the project, and the involvement of more than the core team that CentOS has going for it now.
LWN recently wrote about the long delays and called on consumers of CentOS to step up and pitch in. There’s merit to that if the core developers make it possible to do so. At this point, I hate to use the f-word (not that f-word, I use that quite often…) but it seems to me that it may need a fork or new effort to provide a reliable Red Hat clone that’s totally compatible. I’m aware of Scientific Linux, but they don’t try to be quite a direct clone of RHEL, which is what quite a few people need. (Red Hat could help things by offering a subscription that lets individuals support them at less than $350 a year…)
I’m pretty bummed about the direction that things have taken with CentOS. In the past I’ve recommended it as an alternative to RHEL for companies that are not in a position to dole out big cash for RHEL subscriptions. No longer — I’d sooner suggest that companies take up Debian or Ubuntu Server or scrounge up the cash for the subscription. Not that there’s anything wrong with Debian or Ubuntu LTS Server — but a lot of software is certified and packaged for RHEL that’s not certified for Debian or Ubuntu.
CentOS has been a valuable part of the Linux ecosystem for some time. It’s even been beneficial to Red Hat by helping it maintain its status as the de facto enterprise Linux, without competing too fiercely for support dollars. But the extreme delays in the release of updates for 5.x and the total absence of 6.0 after almost six months gives me little confidence in the CentOS project as it’s run today. It’s neither a community project in any real sense, nor suitable for enterprise or even small business use. It doesn’t have to remain that way, but as it stands now it’s not good business sense to rely on the project even if it costs nothing in support fees.