Fellow Linux users:
If you use any version of Linux, especially pay versions, you will ask or you boss will ask you, these question(s) "Can we save some money using CentOS vs Red Hat (RHEL)?", "Are/Aren't they the same thing?", " Will it (CentOS) work in our environment?" and many other questions.
My boss has asked me to research such things. I have searched and researched. I haven't seen a fact anywhere, what I have found is a lot of conjecture, consultant speak, etc.
Realistly, the boss wants to know, "What is the Cost vs Risk?"
I was recently speaking with two Red Hat employees (over licensing) and explained to them my dilemma. I asked them what was their take and if they had anything on "Red Hat vs CentOS". I was sent over a presentation titled "The Red Hat Enterprise Linux advantage over CentOS in your enterprise" My boss upon reviewing the presentation stated "that is very biased toward RHEL" I asked and I was told by the Red Hat employees "This was the current presentation, even with some of the link dates were 2012 and it was in the public domain and I could post it here." I'm not going to post the entire presentation here, it is very long.
However, this is why I am posting this here. I want the biased CentOS side to some of the statements from the presentation. I'm going to ask that you begin by stating your affiliation with CentOS (developer, user, employee, etc.) and how long. Then, let me have your bias and response to the statements and questions below.
RH statement #1:
CentOS is not Red Hat Enterprise Linux
While CentOS may be derived from RHEL sources...
CentOS does not include ALL Red Hat Enterprise Linux source code
CentOS includes packages and capabilities not found in RHEL
CentOS is built and tested in a completely different environment than Red Hat Enterprise Linux
CentOS has not achieved any government security certifications
Major hardware and software vendors do not certify CentOS for use with their products
Question(s) #1: Well, is CentOS the same? Red Hat states it is not.
RH statement #2:
The CentOS project is not a company
The CentOS project provides no legal warranties, guarantees, or indemnification to their users
The CentOS project has no formal support relationship with Red Hat
Updates and patches for CentOS lag behind Red Hat Enterprise Linux
CentOS project only supplies updates and patches for the latest versions of the OS – no Extended Update Support or Extended Lifecycle Support
Is CentOS a company? Who or what is responsible/liable when you have no company behind the product?
RH statement #3:
CentOS is not a certified or supported virtualization host or guest for Red Hat Enterprise Linux
CentOS is not a certified or supported platform for many enterprise applications or databases (e.g., SAS, SAP, OracleDB, OracleMiddleware)
Red Hat has a contract with Oracle to redistribute Oracle Java SE binaries (including the JDK and JRE) and to support those products as part of a RHEL subscriptions.
CentOS does not ship Oracle Java SE; CentOS users who wish to use Oracle Java SE must download and install it directly from Oracle.
CentOS user who would like to have commercial support for Oracle Java SE have to purchase a separate support agreement from Oracle
Oracle does not recognize CentOS as a certified platform for Java SE
What if...your application suddenly doesn't run or perform well? What if...your application won't run on your new hardware? Can CentOS help solve these?
I found this current issue: viewtopic.php?f=47&t=56402
and many others unanswered in the forum.
RH Statement #4:
Security CVEs are issued for Red Hat Enterprise Linux, not CentOS
Applying CVEs to Red Hat Enterprise Linux is an automated process
Identifying which CVEs correspond to the appropriate Red Hat Enterprise Linux security patch and ensuring they are applied properly becomes a manual process with CentOS
A few words from CentOS on CVEs
“...CentOS does NOT usually do any verification with respect to CVE issues. We build what Red Hat releases when they release it. Their security and engineering teams are the ones that research the problem, develop a plan, write code, build the new packages and test to verify that:
1) There was a problem that needs fixing.
2) The fix proposed actually fixes the vulnerability (in RHEL).
We then grab the released code after Red Hat publicly releases it and build it for CentOS.
What does this mean for CentOS users ... it means that YOU are responsible to test that there is no longer an issue in YOUR environment after you do the install. If you want a CERTIFIED fix that has been tested, that is what Red Hat provides in RHEL. The reason they charge a subscription price is because they do all this testing and they provide assurance that the issues are known, fixed, tested, and certified as mitigated. “
- Johnny Hughes, CentOS project team member
http://lists.centos.org/pipermail/cento ... 43094.html
What if... a security vulnerability is discovered in your OS?
Scenario: "A dangerous security vulnerability in CentOS is posted to the web"
Do I have my IT staff research a workaround to secure my systems until a patch becomes available?
Do I have my IT staff research and generate their own patch and maintain it?
I asked for information about you earlier, As for myself, I have been using some version of unix since the late 70's, versions include BSD, Xenix, SCO, AIX, HP-UX, Linux (many flavors). I have been at my current company for close to 19 years, various positions. Currently, I use mostly RHEL 6, about 150+ installations with some CentOS, Ubuntu and Linux based appliance.
I appreciate any responses that I receive, apologize for any typos or grammar mistakes and would like to Thank you in advance for your time.
One with Questions!