old versions of modules that come from the Ceph package got flagged by our security scan.
RHEL uses a practice called backporting, where older versions of software in packages get fixes from newer versions of the software without changing the version. This means that scanners that only check the version number can give you false positives for CVEs that are actually fixed. Is there a specific CVE that your scanner mentions? If so, you can look it up in the Red Hat CVE database and check if the fix has been backported, and which release of the package includes said fix.
It seems like you don’t understand the actual motivations of the parties involved here.
Oracle’s goal with Oracle Linux is to undermine Red Hat profits to prevent Red Hat from competing with them on acquisitions. They also have a secondary goal of being able to offer their customers a “full stack” deployment (operating system plus application) of their core business products like Oracle Database.
SUSE’s goal is to attract new customers with a RHEL clone offering (tied in with their SUSE Manager product), which gives them a sales funnel to pitch their core business of SLES for those customers’ new deployments. They first did this with their “Expanded Support” offering, which was clone-style updates for existing RHEL and CentOS installs. They were working on converting this into a full distro offering named “Liberty Linux”, but abandoned the idea last minute. Instead they rebranded “Expanded Support” as “Liberty Linux”, causing much confusion for due to previous leaks about the full distro by the same name.
Kurtzer/CIQ/Rocky’s goal is selling a RHEL clone as a core business offering, at a price that undercuts Red Hat’s pricing. This is only financially viable because they’re not doing 99% of the engineering work to build the operating system.
The parties involved have very different goals, but they’re aligned enough to partner up until one of them decides to screw the others over (see “United Linux”).
Don’t be fooled by them using the word “community” eleven times in the announcement. They’re doing this for their own business reasons, as detailed above. That’s why OpenELA is a trade association.
The entire point is to protect the participants’ commercial interests.
You must not talk to many enterprises. Many of them are looking for enterprise-level support of RHEL clones to cut costs. All the ones that I’ve directly heard about making a switch eventually switched back to Red Hat after realizing that the third party support was insufficient for their needs. These third parties can’t fix bugs or add features to a clone of another distro they do not control.
The F in FOSS stands for free as in libre, not free as in gratis. If you think that the point of FOSS is getting things for free (gratis), then I’m afraid you’re the one with things going over your head.