‘Rocky Linux from CIQ,’ for Enterprises Who Like a Shot of Assurance With Their Open Source

‘Rocky Linux from CIQ’ is Rocky Linux with a commercial entity to stand behind the open source product for enterprises that need that.

What do you do if you’re CIQ, an open source-focused tech company that, among other things, provides enterprise-grade support for some of the world’s leading software solutions, and you also just so happen to be the founding company behind Rocky Linux, one of the two most used clones of Red Hat’s enterprise Linux distribution?

I mean, what do you do with that Rocky Linux connection to take advantage of your expertise for the benefit of the distro and of your company’s bottom line?

You come out with a top-shelf subscription-based version of Rocky Linux with added compliance, indemnification, and supply chain validation guarantees, which is what CIQ has done with RLC, which stands for “Rocky Linux from CIQ“. The sweet spot here is that the CIQ team has managed to add some extra value for enterprises without putting any restrictions on accessing the source code — as Red Hat has done with RHEL.

They can do that because the extra value isn’t code — although there is some of that added to the mix — but peace of mind.

If this makes you figure that RLC is a basically a technical support offering or something along those lines, you would be wrong because that bird wouldn’t fly. Many if not most RHEL clone users don’t need or want technical support because they’ve got that otherwise covered with in-house expertise — although CIQ will be happy to sell you a support contract if you need one.

If I had to boil down to one word what RLC offers that doesn’t already come with Rocky Linux out-of-the-box, I think that word would be “assurance.” Or maybe “insurance” would be better. Or as I said, “peace of mind.”

If you sign up for it, RLC becomes your software vendor in a way that Rocky Linux Foundation — or any other community software organization — can’t.

Here’s how Gregory Kurtzer — who’s not only CIQ’s and Rocky’s founder, but a founder of the original RHEL clone CentOS Linux — put it:

“Most really large organizations don’t count on just running open source software,” he explained in a YouTube video. “They depend on open source software, but they need a company behind it. They need a solution where that company can help them if they get into something they’re not quite equipped to deal with. We’ve been asked many times, can CIQ be the company that’s kind of standing behind and supporting Rocky Linux?”

To be clear, Kurtzer isn’t talking about small companies running a few servers in an on-premises server room or in a rented rack in a colocation center somewhere. He’s talking about large enterprises running hundreds if not thousands of servers, and who need to make sure they’ve dotted all of their i’s and crossed all of their t’s. One thing they want is the peace of mind that comes from knowing that their software has a Red Hat, IBM, Microsoft, Cisco, or some other commercial entity backing it up — and that’s what they get with RLC.

RLC in a Nutshell

Here’s what comes with RLC, according to CIQ’s website:

CVE Remediations

• Community: Patches for vulnerabilities (CVEs) are normally managed by the community, with best-effort timing for their release. There are no guarantees for when patches will be incorporated into Rocky Linux.
• RLC: CIQ provides service level objectives (SLOs) to guarantee CVE patches, ensuring deployments remain secure and compliant and IT teams aren’t left fending for themselves in the event of patch embargoes or zero-day disclosures.

Dedicated Repositories

• Community: Rocky Linux packages are mirrored by independent sites with no guarantee of release timing, update cadence, availability or content accuracy.
• RLC: CIQ ensures package and repository quality by verifying content, offering indemnification, and distributing packages through secure U.S.-based repositories. This adds a layer of accountability and authenticity to the software supply chain.

Indemnification

• Community: The Rocky Linux distribution does not come with any extra legal indemnification from the community of maintainers. Users are therefore open to potential infringement claims related to open source software packaged with the distribution.
• RLC: RLC comes with legal indemnification protections out of the box. This gives enterprise users the extra peace of mind needed to trust and run open source software with mission-critical workloads.

Who’s It For?

This offering is obviously aimed at large enterprise deployments, and it’s priced accordingly. The single all-you-can-eat price of $25,000 yearly pretty much prices single users and smaller SMBs out of the market.

For large enterprises, which is really who could use the solid assurances and insurances that RLC offers anyway, the price is right. $25K comes to $250 per server for companies deploying only 100 servers, $25 per machine for 1,000 server deployments, or $2.50 each for organizations running 10,000 machines.

The all-you-can-eat pricing also means there’s no fuss or muss with compliance issues — which means enterprises don’t have to deal with surprise audits or any of that nonsense.

“The biggest customers that we have are so strict in terms of how they’re managing their compliance and their various security postures and stance, that they need to have guarantees,” Kurtzer said. “They need to have complete confidence. The open source community is fantastic for upstream development; it’s fantastic for collaboration. It’s not great for getting guarantees and it’s not great for guaranteeing compliance for these large organizations.

“We’re trying to figure out how to give our customers what they want, which is an open base, something they can build upon as a foundation which is open, secure, and compliant — but they need that in writing and they need that guarantee,” he added. “We are providing that, and we are becoming that throat to choke if anybody does need something along those lines.”