October 10, 2023

Red Hat shuts down the rhsa-announce mailing list and reserves it for subscribers only.

Red Hat's decision to restrict access to the rhsa-announce mailing list poses challenges for clones like AlmaLinux and Rocky Linux in maintaining timely security updates.

IBM RedHat

Red Hat's recent announcement to shut down its rhsa-announce mailing list has sparked a wide range of reactions in the Linux and open-source community. This list was a reliable source of announcements, updates and notifications related to the security of software packages. Now, to access this information, you will need to be a “subscriber” of the Red Hat portal by logging in to this address or by subscribing to this RSS feed.

Login Red Hat account

Why is this move significant?

Red Hat's decision to limit access to the rhsa-announce mailing list was interpreted by many as a strategic maneuver aimed at hindering the growth and effectiveness of Red Hat clones, including AlmaLinux, Rocky Linux, Oracle Linux, and SUSE. These distributions, which were traditionally able to quickly and freely access security information through the mailing list, now face a significant challenge.

Interesting to note that these distributions are now part of the OpenELA consortium, a coalition that seeks to standardize and facilitate the sharing of source code and information between Red Hat Enterprise Linux (RHEL)-compatible Linux distributions. OpenELA was created precisely to deal with challenges like this, trying to offer a collaborative alternative that could replace or at least complement Red Hat's official channels.

IBM and the Open Source issue

Although Red Hat continues to maintain that it operates as a “separate and independent entity” from IBM, its recent move to shut down the rhsa-announce mailing list appears to be perfectly aligned with IBM's highly profit-oriented corporate philosophy. This decision could represent a further sign of a broader change in the approach of both Red Hat and IBM towards open source and the communities that gravitate around it.

IBM has a strong history of acquiring and monetizing technologies. One of the best-known examples is the acquisition of Lotus Development Corporation in 1995. Although Lotus was not an open source project, IBM leveraged open source components in various parts of the Lotus suite, with the goal of generating a profit. Similarly, its purchase of analytics and data science software provider SPSS in 2009 followed a similar pattern, with IBM also seeking to monetize analytics solutions through the use of open source technologies such as R.

The acquisition of Red Hat in 2019 for $34 billion was one of the largest deals in the world of open source software. Since then, IBM has begun integrating Red Hat's broad range of solutions, from OpenShift to Ansible, into its cloud and automation services. While Red Hat has always had a fairly ethical business model in line with the expectations of the Linux community and Open Source philosophy, its acquisition by IBM posed new questions about how the tech giant might seek to maximize profits. profits from the open source ecosystem.

This latest decision to limit access to security information could be seen as part of a broader strategy to control and monetize access to valuable assets within the Red Hat ecosystem, in line with IBM's business objectives.

Security implications

Red Hat's decision to restrict access to the rhsa-announce mailing list brings with it a series of implications in the delicate field of cybersecurity. In a world where cyber attacks are increasingly frequent and sophisticated, timing is crucial. Organizations depend on timely, detailed information to implement preventative measures, such as applying security patches and software upgrades.

In the new scenario, organizations and individual users that rely on Red Hat clones, such as AlmaLinux, Rocky Linux, Oracle Linux and SUSE, may find themselves at a disadvantage. Without a direct and rapid communication channel for security updates, these users run the risk of being exposed to vulnerabilities that cannot yet be mitigated. In practice, without immediate access to security advisories, technical operations such as patching and upgrades may be significantly delayed.

This delay may result in a window of opportunity for attackers to exploit known but not yet patched vulnerabilities. In this case, the risk is not just theoretical: a successful attack could lead to disastrous consequences, including the loss of sensitive data, operational disruptions and reputational damage.

Therefore, organizations will not only need to find alternative ways to be notified of security advisories, but also ensure that these channels are as timely and reliable as Red Hat's rhsa-announce mailing list. Only then will it be possible to maintain a level of security comparable to what they were used to, minimizing the risk of exposure to potential attacks.

final Thoughts

To maintain a level of security and updateability comparable to that provided by the rhsa-announce mailing list, OpenELA consortium distributions will now have to devise alternative ways to stay up to date on security advisories. This could include creating a new common mailing list, monitoring vulnerabilities through third-party sources, or implementing real-time security monitoring solutions.

This new scenario could also lead to a sort of “arms race” in the world of open-source software, where the ability to quickly access crucial security information could become a key competitive factor. Distributions that fail to keep pace may find themselves progressively marginalized or less competitive in the market, with potentially serious consequences in terms of security for end users.

While Red Hat's decision may seem like an isolated move, it could have a long-term impact on the broader Linux ecosystem, forcing competing distributions to rethink and perhaps reinvent their strategies for accessing and distributing crucial information on safety.

Shutting down the rhsa-announce mailing list is a move that can have a significant impact on the Linux community. However, as often happens in a rapidly evolving ecosystem such as open source, new solutions are likely to emerge to fill any information gaps.

Do you have doubts? Don't know where to start? Contact us!

We have all the answers to your questions to help you make the right choice.

Chat with us

Chat directly with our presales support.


Contact us by phone during office hours 9:30 - 19:30

Contact us online

Open a request directly in the contact area.


Managed Server Srl is a leading Italian player in providing advanced GNU/Linux system solutions oriented towards high performance. With a low-cost and predictable subscription model, we ensure that our customers have access to advanced technologies in hosting, dedicated servers and cloud services. In addition to this, we offer systems consultancy on Linux systems and specialized maintenance in DBMS, IT Security, Cloud and much more. We stand out for our expertise in hosting leading Open Source CMS such as WordPress, WooCommerce, Drupal, Prestashop, Joomla, OpenCart and Magento, supported by a high-level support and consultancy service suitable for Public Administration, SMEs and any size.

Red Hat, Inc. owns the rights to Red Hat®, RHEL®, RedHat Linux®, and CentOS®; AlmaLinux™ is a trademark of AlmaLinux OS Foundation; Rocky Linux® is a registered trademark of the Rocky Linux Foundation; SUSE® is a registered trademark of SUSE LLC; Canonical Ltd. owns the rights to Ubuntu®; Software in the Public Interest, Inc. holds the rights to Debian®; Linus Torvalds holds the rights to Linux®; FreeBSD® is a registered trademark of The FreeBSD Foundation; NetBSD® is a registered trademark of The NetBSD Foundation; OpenBSD® is a registered trademark of Theo de Raadt. Oracle Corporation owns the rights to Oracle®, MySQL®, and MyRocks®; Percona® is a registered trademark of Percona LLC; MariaDB® is a registered trademark of MariaDB Corporation Ab; REDIS® is a registered trademark of Redis Labs Ltd. F5 Networks, Inc. owns the rights to NGINX® and NGINX Plus®; Varnish® is a registered trademark of Varnish Software AB. Adobe Inc. holds the rights to Magento®; PrestaShop® is a registered trademark of PrestaShop SA; OpenCart® is a registered trademark of OpenCart Limited. Automattic Inc. owns the rights to WordPress®, WooCommerce®, and JetPack®; Open Source Matters, Inc. owns the rights to Joomla®; Dries Buytaert holds the rights to Drupal®. Amazon Web Services, Inc. holds the rights to AWS®; Google LLC holds the rights to Google Cloud™ and Chrome™; Microsoft Corporation holds the rights to Microsoft®, Azure®, and Internet Explorer®; Mozilla Foundation owns the rights to Firefox®. Apache® is a registered trademark of The Apache Software Foundation; PHP® is a registered trademark of the PHP Group. CloudFlare® is a registered trademark of Cloudflare, Inc.; NETSCOUT® is a registered trademark of NETSCOUT Systems Inc.; ElasticSearch®, LogStash®, and Kibana® are registered trademarks of Elastic NV Hetzner Online GmbH owns the rights to Hetzner®; OVHcloud is a registered trademark of OVH Groupe SAS; cPanel®, LLC owns the rights to cPanel®; Plesk® is a registered trademark of Plesk International GmbH; Facebook, Inc. owns the rights to Facebook®. This site is not affiliated, sponsored or otherwise associated with any of the entities mentioned above and does not represent any of these entities in any way. All rights to the brands and product names mentioned are the property of their respective copyright holders. Any other trademarks mentioned belong to their registrants. MANAGED SERVER® is a trademark registered at European level by MANAGED SERVER SRL, Via Enzo Ferrari, 9, 62012 Civitanova Marche (MC), Italy.

Back to top