[imglorp]

> RHEL/CentOS containers ... RH lock-in

So if a non-IP-lawyer reads the redistribution terms of the RH Universal Base Images, there are some very dubious implications in there, such as #22 and #42.

  https://developers.redhat.com/articles/ubi-faq#

Has anyone done a third party analysis of their EULA? My org, an ISV, may need some legal cycles to avoid stepping in this trap.

I'd be just fine avoiding UBI because of that, but there are some orgs whose security posture demands only UBI images are allowed in their domain so ISV's may be forced to pay to play.

[mogwire]

#22 and #42 is how they try to prevent people from adding RPMs from mainstream RHEL. I have seen GitHub repos owned by RH employees that have containers files that require you to attach entitlement cert and the Red Hat cdn repo to install additional packages. It doesn’t violate EULA because they aren’t distributing the image.

RH knows people will try to abuse the free UBI image and install RPMs they shouldn’t be.

I work with Red Hat Partners so I know these rules well.

[parasense]

Yeah, they are base images devoid of copyright/trademark assets like artwork or whatever, and so it goes... just a platform to layer around. Like you wrote the first thing many people want or need, is to layer other RHEL packages, or if the software lacks many dependencies then the ISV just integrates their own software over top, then packages that layer themselves...

Meh

[yjftsjthsd-h]

> I'd be just fine avoiding UBI because of that, but there are some orgs whose security posture demands only UBI images are allowed in their domain so ISV's may be forced to pay to play.

That seems fine IMO; use free OSs wherever possible, but if customers want RHEL just pass the cost through and let them deal with it.