[chrisseaton]

How does this work? How are RedHat able to reach into any of the thousands of projects in their repository and fix bugs and vulnerabilities? How do they have people on staff who understand all those codebases and algorithms?

Do RedHat support engineers get tickets like 'bug in the energy minimisation algorithm of GraphViz - go in, learn that field of computer science, and fix it'?

[paulryanrogers]

IIRC Redhat is a downstream consumer of many projects. And they have their own repositories and format (RPM). So yes, they do fix bugs in their copies and employee people who know, or can learn, the critical packages.

Hopefully they still send patches upstream to the original projects.

[bdavis__]

Yes, that is exactly how it works. Provided the bug reporter has a support contract and enough clout.

[quantummkv]

It is the upstream vendor that issues fixes. What RedHat does is that it takes the commits that fix the bug and merge them into their forks and release.

[chrisseaton]

> It is the upstream vendor that issues fixes.

So if you have a bug in a RedHat package, and you're paying $100k a year RedHat support contract, all they really do is open a GH issue with the upstream to ask them to fix it? And then you just wait hoping they fix it so RedHat can cherry pick it?

[myWindoonn]

We don't know. I'm going to tell you a short story, though.

Rumor has it that KMS[1] was developed entirely because a deep-pocketed RH customer was annoyed that their workstations showed a fraction of a second of the boot/init log, and wanted a more seamlessly-graphical boot.

This feature was not universally welcomed by the kernel community. It excluded BSD cousins and frustrated nVidia and AMD/ATI. I remember standing next to the DRM/KMS maintainer while Linus yelled at us.

RH absolutely will interact with upstream on behalf of their customers. They don't just "open a GH issue"; they present designs, code, rationale, and evidence to upstream. I wonder whether this is something that Oracle does, but it doesn't sound like it.

[1] https://en.wikipedia.org/wiki/Direct_Rendering_Manager#Kerne...

[throwaway2048]

Backporting fixes (and fixes ONLY, not new features, and new bugs, with new incompatabilities) onto an older version of software that comes in RHEL is not trivial.

[bubblethink]

They have the core repo and other less/un-supported repos/channels. They'll support everything in the main repo.