Ship CIQ kernel patch with extra fix; contribute upstream; race to be first/best on CVE response

May 1, 2026 at 3:43 PMstrategyhigh

Situation

Linux kernel CVE response: CIQ shipping 10 fixes vs CentOS Stream's 9 (CIQ found and is fixing an extra issue related to the CVE). Extra commit submitted upstream to centos-stream and acknowledged for inclusion. CIQ pushing to be first EL distro to release, with primary goal of customer reassurance and secondary goal of public proof point that CIQ contributes to security and is large enough to serve big customers. Also pushing patches to RLC kernels as fallback in case RH doesn't move quickly.

Reasoning

Customer reassurance first, marketing second. The CVE is a chance to demonstrate CIQ contributes to security (not just consumes RH's work), counter the 'too small to serve big customers' perception (relevant with Coreweave just closing and Core42 in flight), and turn an industry-wide problem into a CIQ proof point. Upstream contribution is the credibility multiplier — CIQ found a fix RH missed and gave it back. Public LinkedIn FUD claiming CIQ wasn't responding made fast public response reputationally important. The divergence from RH's pace also surfaces a strategic question about whether CIQ should keep patching internally or invest in changing the RESF/Rocky build process to contribute fixes directly to the community.

Additional Context

Multi-day all-hands kernel response. Joseph up at 3am his time kicking off builds for Roxana. Maple et al. triggered next. Nathan/Justin coordinating across timezones. 9.6 and 9.4 LTS shipping first; RLC kernels next. Bjorn asked Nathan to update Citadel via the existing email thread (Nathan posted knowledge base article). Dave Dickerson flagged a LinkedIn post claiming CIQ behind on the CVE — Lindsay Aamodt (marketing) reviewing whether to respond publicly.

Observed Evidence

Direct Peter quote in distinguished-leaders 4/30 14:13 PT: be first/best framing. Nathan in Nathan 1:1 confirming patch count 10 vs 9. Greg replying upstream: 'It would go a long way to try and contribute it upstream as well'. Nathan in #hey-pete-look 5/1: extra commit acknowledged upstream. Coordination across Slack channels and email thread to Citadel.

Matching Patterns

30%

Executive Sponsorship for Strategic Partnerships(same category (strategy), executive direct involvement)

30%

Small Circle for Sensitive Operations(same category (strategy), tight coordination across small group)

Confidence Breakdown

32/35

Evidence

18/30

Pattern

22/20

Source

20/15

Corroboration

Reasoning Depth Analysis

Org Signal:CIQ as upstream contributor, not just RH downstream — reframes RESF identity question

Who Affected:RESF community, Red Hat (received the fix), Citadel + Jump + Trexcel customers, kernel team across timezones

Precedent:Critical CVE = CIQ engineering all-night with public writeup. Sets bar for next CVE response.

Consequences:Real strategic review surfaced (RESF/Rocky build process); marketing positioning opportunity; team burn

Timing:Public LinkedIn FUD claiming CIQ behind on CVE made fast public response reputationally important

People Involved

Peter Nelson, Nathan Blackham, Justin Haynes, Joseph Tate, Bjorn Hovland, Greg Kurtzer, Dave Dickerson, Lindsay Aamodt, Steve Wallace

Source

reflection

AI Confidence

92%

Related Context

💬

#distinguished-leaders — first/best framing

slack

we have a chance to be first... we found and are fixing another issue that's related to it... so we have a chance to be best

💬

#hey-pete-look — Nathan: extra commit accepted upstream

slack

We found an additional fix that needed to be included in the CentOS Stream kernel. They acknowledged and are pulling in the extra commit from upstream — gitlab.com/redhat/centos-stream MR 8078

🎥

Nathan <> Peter Weekly 1:1 — RESF/kernel strategy

fathom

Primary Goal: Reassure existing customers... Secondary Goal: If CIQ beats other EL distros to release, use it as a public sales/marketing point to counter the perception that CIQ is too small to serve large customers

Follow-up Todos

Suggest follow-up todo

Decide whether to invest in changing RESF/Rocky build process to contribute fixes directly upstream

@Nathan, @Justin

From: Nathan 1:1 (Fathom 142682308). Strategic question raised by the 10-vs-9 divergence. Two paths: (a) keep patching internally, (b) change the RESF/Rocky build to contribute these fixes upstream as the canonical path. Decision belongs to Peter; needs to be made before next CVE event normalizes the divergence.

Why: Right now CIQ ships better-than-RH on every shared CVE because of in-house engineering work. That's a competitive moat OR a sign the upstream process is broken — and the answer determines whether the 10-vs-9 pattern repeats forever or becomes the trigger to invest in the community build. Nathan flagged this as a strategic review item, and unanswered it will keep coming up at every CVE.

Outcome

No outcome recorded yet.

Decision ID: 67ed9247-3631-4bb2-9a55-eb89e5858181