[sullivanmatt]

I'm not even a user of rhel but the difference is: security patches. Enterprise uses rhel because they fix or triage nearly every vuln, every time. If you work for a company with extremely stringent security requirements, or sell to government entities, rhel and its derivatives (CentOS/Amazon Linux 2, etc) are basically the only way you can clear their requirements.

Debian (and by extension, Ubuntu) chooses to not fix a significant amount of security issues. This makes sense given their business models, but is an unworkable position for a huge number of enterprises that depend on Linux. Example: https://ubuntu.com/security/CVE-2021-45464

[Yeroc]

That, and if you need to run some COTS (commercial off-the-shelf) software package chances are the vendor will only support it on RHEL (or CentOS). However, many of these vendors also support Ubuntu LTS or Suse Enterprise now so there are (usually) a couple of Linux-based alternatives.

[cyberpunk]

I work for a eu government with extremely high security requirements (in the national identity / IDP / health space).

We actually _CANNOT_ use redhat for compliance reasons.

(We're using ubuntu LTS as it goes)

[jtolds]

Why? What compliance reasons make Ubuntu LTS work and RHEL not work?

[cyberpunk]

Stupid auditors/pentesters really. Explained a bit in another comment, but essentially we had to explain the concept of backporting cve fixes to the same 'version' of random libs to the auditors and to get certified we would have to demonstrate, with actual source, that each of ~200 or so cve's were fixed in various system parts (individually).

In the end, we just went with ubuntu for those nodes, and they all passed the certification. Shrug.

Since then, we don't even need the OS to be certified, since we are using confidential computing, and we stuck with ubuntu for our k8s nodes etc -- but we are forbidden from using rhel anywhere by our legal / compliance people now.

[mshook]

The issue here is with your auditors. I mean if RH tells you a CVE has been fixed with a backport, sure you can challenge that fact but at the same time and with the same standards, it'd mean your auditor would also have to check the actual source of your patched Ubuntu packages to make sure the new versions fixed the security bugs.

The bottom line really is plenty of auditors I've seen don't know how to check for vulnerabilities other than by checking a version... That's it.. Their tools or reporting only know package must have a version greater than x.y.z.

[fariszr]

What about SUSE/OpenSUSE? Surely that would've gotten the green light?