RedHat 9 packages, versions and patchs

[Ingvar Hagelund]

to., 26.06.2025 kl. 16.49 +0200, skrev Martin HAMANT:
> Hi, 

Hello Martin

> I would like to understand from which upstream branch RedHat's patchs
> are coming and why. For instance on RHEL9 we currently have varnish-
> 6.6.2-6.el9_6.1.
> I suppose RedHat is applying (backporting) security patchs on top of
> this _old_ release, but from which upstream branch does it comes ? Is
> this from the 6.0.x LTS branch or newer ?

Red Hat decided, probably by popular demand, to include varnish into
rhel for el8. They chose wisely to go for the 6.0.x LTS release that
was current at the time, and have tracked that for el8 since. Then they
started the work on varnish for el9 around 2020. They forked the fedora
package as is usual, then at varnish-6.5.1, and have maintained their
own branch in centos stream 9 since then. They updated to varnish-6.6.x
and then built the rhel9 package from that. In this work, they have
been on their own, though they ask me (as the fedora maintainer) about
things from time to time, though sometimes neglecting my advice, see
below.

> Last question; do you know what is the reason behind this specific
> '6.6.2' version in RedHat 9 ? (rather than a LTS one for instance)

Having 6.0.x LTS in el8, I presume they wanted something newer, but who
knows. I was not given any particular reason for the choice, other than
that 6.0.x was perhaps growing a bit old. As to my knowledge, no new
LTS had been planned at that point, I challenged the Red Hat
maintainers that the support burden with going with something newer,
would fall on them. I tried to make clear what the options were, with
upstream leaving old versions behind about once a year. I hope they
have risen to the challenge. Similarly, they have chosen 7.6.1 for
el10, again probably just because that was current at the time of the
fork from Fedora.

On your first question:

When bugs or build problems arise in a release, I patch these in the
Fedora rpm, either myself then reporting upstream, or based on work
already done upstream. As the package is forked from the fedora, the
rhel package inherits all these small fixes.

Red Hat's further work on Varnish after the fork may be followed quite
openly in centos stream. You can find a mirror of their git repo at
https://gitlab.com/redhat/centos-stream/rpms/varnish , with branches
for c9s and c10s respectively. They do this work on their own, merging
in stuff from fedora and upstream from time to time. I presume they do
security patching themselves based on work upstream, but I do not know
this in detail, and the sources of their patches are not mentioned
explicitly. The person who could give a clear answer to this is
probably Luboš Uhliari, who does most of the patching and package
maintenance of varnish at Red Hat. Generally have their own
prioritizations and policies, taking their own decisions.

As an example, it is well proven that running varnish with jemalloc
gives better performance. My classic rant here is how I adviced Red Hat
to import Fedora's jemalloc package into RHEL, for varnish and for
common use, as there are several other packages in RHEL that use
jemalloc internally. By a Red Hat policy, probably to avoid maintenance
of an extra general malloc implementation or something, this was
disregarded, and they went with glibc malloc. Not surprisingly,
performance hungry customers asked for jemalloc support in varnish. So
they recently decided to patch jemalloc back inline into varnish again,
reversing my earlier work to fulfill the Fedora Packaging Policy of
maintaing separately released libraries as separate packages.

Note that generally, I think the relationship among Varnish Cache
upstream, Varnish Software maintaining the 6.0 LTS branch, Fedora, and
Red Hat here, is quite healthy, and I do absolutely do not want to bash
Luboš nor his collegues' work. We all have different priorities and
policies to follow.

Ingvar