The attack of the Red Hat clones

Welcome to Runtime! Today: the first release of a new enterprise Linux project has arrived, Okta shares more details about how hackers got into its customer-support system, and the quote of the week.

(Was this email forwarded to you? Sign up here to get Runtime each week.)

Open for business

This week OpenELA, a consortium of companies that until this summer produced Linux clones based on a free distribution of Red Hat Enterprise Linux, released their own Enterprise Linux code designed to be compatible with RHEL. The announcement demonstrates CIQ, Oracle, and Suse's commitment to continue providing cheap RHEL-compatible Linux distributions after Red Hat made that goal much more difficult earlier this year.

The code released Thursday is designed to provide compatibility with RHEL version 8 and version 9, although ZDNet reported that it's not quite ready for prime time just yet. In case you missed enterprise tech's annual bit of open-source drama while taking a summer vacation, here's a quick recap:

• For many years prior to 2023, Red Hat provided a free, compatible version of its commercial RHEL product to support the CentOS project.
• But after moving the CentOS project "upstream" of RHEL — meaning RHEL is now built from CentOS code and not the other way around — Red Hat decided in June it no longer wanted to distribute a "downstream" version of its flagship product that could be used by anybody to make cheap or free operating systems compatible with RHEL.
• That move sparked a backlash among open-source advocates — a rather passionate bunch — who argued that RHEL wasn't living up to the terms of the GPL, a foundational open-source license that governs Linux.
• Red Hat believes that releasing the RHEL source code to its customers fulfills its obligations under the GPL, and argued this year that most people don't expect software companies — even open-source companies — to provide an exact copy of their commercial product that anyone can duplicate for free.

That decision left the vendors that relied on that free copy in a bind, and they joined forces in August to provide their own RHEL-compatible code base.

• The OpenELA release isn't a distribution; it's a repository of Linux code that is compatible with RHEL that the three partners will use to build their own Enterprise Linux distributions.
• Most companies don't have the skills to implement a raw open-source operating system on their own, which leads them to buy a distribution like RHEL from a vendor like Red Hat that comes with all the bells and whistles needed to make that code work in a production enterprise environment.
• But many of those companies have also been interested in low-cost or free Linux distributions like CIQ's Rocky Linux to use as development and testing servers, or for skunkworks projects that would still be compatible with their RHEL production servers.
• The OpenELA project wants to establish its code as the new standard for companies that want to use Linux as the foundation for their app development while maintaining compatibility with RHEL.

However, it's not clear how OpenELA will be able to maintain "bug-for-bug" compatibility with RHEL in the future.

• The code for the initial versions of OpenELA was free and clear to use under Red Hat's earlier terms, but it will be restricted in the future.
• Red Hat releases almost all of the code included in versions of RHEL through the CentOS project, but the project doesn't include all of the code that makes it into a final version of RHEL and therefore can't be relied upon as "bug for bug" compatible.
• Earlier this year CIQ founder and CEO Gregory Kurtzer told Runtime that future "bug-for-bug" compatible versions of RHEL could be obtained by simply launching a future version of RHEL on a cloud provider, which gives you access to the code without accepting any terms and conditions.
• Red Hat didn't agree with that thinking at the time, but didn't say one way or another if it would sue to enforce its licensing terms.

Unfortunate fortnight

Okta was unable to identify suspicious behavior in its customer-service portal for two weeks last month, it acknowledged Friday, leading to the exposure of data belonging to 134 customers before it was addressed.

The identity management company, which plays a key role for customers looking to authenticate users on their corporate networks, employs a relatively standard SaaS customer-service procedure that asked customers to share HAR files. Those files record how customers are interacting with a cloud service through their browser, and contain sensitive information about how to log into their accounts with the vendor.

But hackers were able to get access to a computer used by an Okta customer service employee that was signed into their personal Google account while also using a corporate Okta account. The attackers were able to get access to the HAR files through that account and "hijack the legitimate Okta sessions of 5 customers," which Okta did not notice until three of those customers — 1Password, BeyondTrust, and Cloudflare — informed the company that they had detected suspicious activity.

That's not a great look for a security company.

Quote of the week

“I often ask vendors to walk me through their product quote and explain what each product SKU or line item is, such as the cost for an application with the microservices and containerization. Most cloud agreements have an auto-renewal clause, which decreases leverage in negotiating prices upon renewal. I strike this language from all my contracts.” — Thomas Phelps, CIO and SVP of corporate strategy at Laserfiche, with some sage advice for enterprise tech buyers as reported by CIO.

The Runtime roundup

Several Cloudflare services remained down or degraded well into Friday as the company continues to recover from widespread issues caused by a power outage at one of its North American data centers on Thursday.

Nvidia is planning to sell the A800 AI chips originally designed for Chinese customers in North America after new export restrictions forced its hand, which could put a small dent in the ongoing GPU shortage.

Thanks for reading — see you Tuesday!