Do not pursue RedHat EULA violation for LTS kernel patches
Situation
Decided not to access RedHat EUS SRPMs directly (which would violate their EULA) to obtain CVE patches for LTS kernel work. Instead, continue with NARF-based CVE automation that sources patches from Debian, Ubuntu, Alpine, Arch, upstream commits, and other legitimate sources.
Reasoning
1) NARF is already working - beat RedHat to the net-snmp patch (CVE-2025-68615) by days. 2) Strategic value in reducing RHEL dependency rather than becoming further entrenched. 3) Legal/reputational risk not worth it when alternative approach is succeeding. 4) Even with EUS SRPMs, kernel work is fully divergent after EUS cut - still requires re-engineering. 5) Third-party tools (root.io) provide insulation buffer if needed. 6) Nathan correctly identified that EULA violation would make CIQ "further entrenched behind RHEL" - opposite of strategic direction.
Additional Context
Legal was investigating RedHat LTS options in Oct 2025. Greg had explored root.io for CVE remediation. NARF CVE automation matured significantly Dec 2025-Jan 2026, now searching 11 patch sources. Board presentation Jan 2026 framed this as capability expansion beyond RedHat ecosystem.
Tags
AI Confidence
90%
Outcome
Closed without detailed outcome
Decision ID: 29a6aed8-f316-403c-9143-5539f370aa98