Over the past week or so CentOS has received a lot of press, much of it rather unflattering. For those not familiar with the Community Enterprise Operating System (which is what CentOS stands for) it describes itself as "an Enterprise-class Linux Distribution derived from sources freely provided to the public by a prominent North American Enterprise Linux vendor." What they can't say on the website is that the vendor in question is Red Hat and that the sources are those for Red Hat Enterprise Linux. What CentOS and a few other Enterprise Linux clones do is take Red Hat's source code, which is licensed under the GPL, remove all the trademarked logos and, at least in theory, the corporate identity, and deliver an unbranded version at no cost.
I've used CentOS extensively over the past four years or so as an alternative to the commercial Enterprise Linux offering when individuals, companies or organizations wanted the stability, reliability, and reputation of the upstream Enterprise Linux but didn't want to or simply couldn't afford the software subscription cost. Many companies will choose to have licensed and fully supported Red Hat Enterprise Linux production servers but will use the no cost alternatives on development boxes which simply aren't mission critical.
On July 30 some of the core CentOS developers wrote an open letter to project founder Lance Davis expressing their frustration at a lack of communication and threatening to leave the project en masse. This, in turn, was picked up by the technical press. The most over the top coverage came from The Register who reported that CentOS was "poised to die". When Mr. Davis attended the next developers meeting and, in the process, resolved some of the issues, The Register's sensational headline read: "CentOS back from brink of death." There's nothing like gross exaggeration to bring in that readership, is there?
This whole situation with Lance Davis was hyped way out of proportion. The whole time the dispute between the CentOS developers was in the news development moved forward and patches were released. CentOS was never a one man show. It was perhaps in danger of forking or a name change but it never really was anywhere near point of death. Even if the project were to die businesses running CentOS could have moved forward without major disruption by pointing their servers to the repositories of another Enterprise Linux clone for updates and then gradually migrating to the other distribution.
The problem which lead to the hyperbole and exaggeration of the issue was the decision to put an internal squabble on the front page of the CentOS website. It is truly rare that any good ever comes from airing your dirty laundy in public. Of course, if that is what caused Mr. Davis to show up to the last developers' meeting maybe this was an exception.
My remaining concern about CentOS is that thay have been slow with some security patches lately and that has nothing to do with the developers' issues which made the press. Red Hat delivered Firefox 3.0.12, a security patch which closed five vulnerabilities classified as "critical", the same day Mozilla did. Scientific Linux (another RHEL clone) had it available within 24 hours. It took CentOS more than a week. That isn't good for something with known, significant vulnerabilities. Before someone points out that a browser isn't critical or perhaps even appropriate for most servers I'll remind my readers that the upstream "prominent North American Enterprise Linux vendor" sells its product for both servers and corporate workstations/desktops. It is fair to assume that CentOS is used the same way. This also was not an isolated case of one late patch. Some patches have been very quick to arrive and others have not been. CentOS has been erratic with its patching for quite some time.
The recent furor around CentOS has crystallized my thoughts and helped me reach a conclusion about what criteria should be used in selecting a Linux distribution. In this case I am focusing on the business, government and non-profit organizational use but honestly this same criteria may be best applied to personal systems as well.
By shining a light on the CentOS development team I was reminded of something I knew all along but never focused on: CentOS is essentially a small, volunteer project. Much like the many hobbyist desktop Linux distributions CentOS is dependent on a relatively few people. If one key developer leaves the project will suffer. If several leave it would be greatly hurt and might not survive. That is the nature of small projects, not something unique to CentOS. It also, in my newly formed opinion, actually makes CentOS a poor choice for business. Does anyone else remember White Box Linux? It was another very good Enterprise Linux clone that simply stopped being updated a couple of years ago.
One of the big selling points of Linux in enterprise space is the stability and reliability of the operating system. That applies to the organization supporting the code as much as the code itself. One of the reasons Red Hat has been so successful as a company is a long reputation of excellence and stability as a company as well as in technical areas. The main competitors to Red Hat are SUSE, which is owned by Novell, a company with a long and largely successful history in enterprise computing, and Ubuntu LTS, which is owned by Canonical, a company known to have strong financial backing.
A Linux distribution doesn't have to be corporate to be able to provide a strong sense of stability. It can be backed by a government, a foundation with outside support, or educational or research institutions. The key isn't the structure of the supporting organization. Rather it is knowing that such an organization can provide the foundation and the continuity to insure that the distribution has adequate financial resources and doesn't depend on the health of one individual or the cohesiveness of a small group.
The net result is that I am no longer recommending CentOS nor will I be deploying any new systems with CentOS. I'm going to recommend Scientific Linux over CentOS for folks who need a free Enterprise Linux clone. While I really wasn't worried about CentOS disappearing I think the fact that Scientific Linux is backed by Fermilab (part of the U.S. Department of Energy), CERN and other leading research laboratories and universities around the world guarantees the health and longevity of the distribution. Scientific Linux has also been more consistent in delivering security patches on a timely basis, something critical to enterprise Linux users.
Even if we, the business user community, could be assured that CentOS will deliver security patches promptly from here on out I still think Scientific Linux is a stronger choice. I'm not saying that Scientific Linux has better code or provides a better computing experience than CentOS or any other Enterprise Linux clone. I am saying that it has a strong organizational foundation that CentOS lacks.