This article was originally written by Red Hat
Your application platform is the foundation for your business. You require it to be scalable, available, secure, and ﬂexible enough to adapt to your changing needs. To enable your IT staff to keep up with those needs, you need to support and extend their capabilities whenever you can. You need more than a support contract to achieve that: you need a collaborative and consultative relationship with your technology vendor. A subscription for Red Hat Enterprise Linux provides you with just that kind of relationship. As companies look to contain the costs associated with their IT infrastructures, it is understandable that they would investigate deploying CentOS as their enterprise Linux environment. The notion of deploying an “enterprise-class” Linux for free and supporting it yourself can sound very compelling to any IT department that is dealing with budgetary pressures. While a well-trained and well-staffed technical team may be capable of deploying and managing a CentOS installation, there are risks and limitations in deploying CentOS in today’s enterprise environment. These challenges are not something that training and staffing can resolve.
If a user needs business and technical support, along with an SLA and an assurance that they can getthat support at anytime for their application, they really should be talking to RedHat.
– Karanbir Singh, CentOS developer,
This becomes clear when you look at what a Red Hat subscription delivers versus what risks and added duties you have to accept when you choose to deploy CentOS.
Vendor versus community project
Red Hat has been in the Linux business since 1993 and is the No. 1 commercial enterprise Linux vendor, with more than $700 million in revenue and more than 3,500 employees worldwide. Red Hat is listed on the S&P 500, and Red Hat Enterprise Linux is trusted to power millions of servers, from simple websites and blogs to many of the world’s stock exchanges and highly secure, mission-critical systems for governments.
Red Hat has achieved this success by acting as a catalyst between the open source development community, customers, and hardware and software vendors to deliver a true enterprise platform. Red Hat makes this platform available to its customers through its comprehensive and affordable subscription model. Red Hat Enterprise Linux subscriptions deliver exceptional value by ensuring that customers have access not only to the platform and maintenance, but also to Red Hat’s knowledge base, expertise, and support throughout the entire lifecycle of their IT infrastructure.
By contrast, CentOS is an open source project—not a company. A dozen or so volunteers download and
repackage Red Hat Enterprise Linux and make it available for those individuals who have the expertise to
install, operate, and maintain the components of a Linux distribution themselves. Since CentOS is produced
by volunteers who have day jobs and personal lives, delivery of new versions of CentOS and binaries can be
unpredictable. There have been documented occurrences of CentOS production and testing coming to a halt
while the team dealt with non-technical issues around team dynamics and organization.
CentOS is not a legal corporate entity. CentOS sells no products and offers no warranties; they have no
contractual obligations that are normally associated with a commercial vendor.
The CentOS project assumes no liability for the code they produce and distribute, nor do they indemnify
their users against legal action for use of their software. Red Hat Enterprise Linux subscribers are
automatically eligible for Red Hat’s intellectual property assurance program, which provides some safeguards in the event of an intellectual property infringement claim while you have a Red Hat subscription.
Creation versus Derivation
Even the CentOS team will tell you that they derive CentOS from Red Hat Enterprise Linux, meaning that
they use most, but not, all of Red Hat Enterprise Linux’s source code, and they assemble the binaries in their
own build environment. The result is a Linux distribution that is different from Red Hat Enterprise Linux, yet
dependent on the availability of Red Hat Enterprise Linux source code. That means new security features,
utilities, or updates that enable new applications or enable new hardware won’t be delivered in CentOS until
sometime after they are delivered in Red Hat Enterprise Linux and published as source by Red Hat.
The time lag between updates could leave you vulnerable to online attacks longer or unable to leverage
the latest advances in hardware. The CentOS team’s stated target goal is to release new versions of CentOS
within four weeks of a Red Hat Enterprise Linux release. Sometimes they do better than that, but in the case
of Red Hat Enterprise Linux 6, CentOS is behind by more than two months. Deciding to deploy CentOS means deciding to be behind the curve in matters of security and technology.
A security team versus a security forum
Red Hat’s industry-leading Security Response Team works with our customers, partners, security watchdog
groups, and the global open source community to identify security vulnerabilities. Red Hat provides fxes
immediately as they become available and tested. For example, with Red Hat Enterprise Linux 5, from the
day it was generally available until the release of Red Hat Enterprise Linux 5.6, Red Hat had fxes for 97% of
critical security issues for its customers within a day of them being publicly reported.
CentOS users have the option of sending private emails to the team to report security issues and concerns
or to seek help for their issues in the CentOS online forums. But because CentOS is derived from Red Hat
Enterprise Linux sources, the CentOS team waits for Red Hat to find, fix, and publish security updates before
they build and distribute a corresponding CentOS version. This leaves CentOS users vulnerable to security
breaches in their platforms for hours and sometimes days longer than Red Hat Enterprise Linux subscribers,
who have access to security updates as soon as they are published.
Additionally, the CentOS Linux distribution has not achieved the security certification required for deployment in many government agencies and commercial enterprises.