Re: Certifying a RedHat Install
From: Thomas Corriher (thomas_corriher_at_earthlink.net)
Date: Thu, 15 Jul 2004 17:34:30 -0400 (EDT) To: Focus Linux List <firstname.lastname@example.org>
> My client wants me to certify there are no back doors in
> the RedHat 9 server we are going to deliver.
That cannot be done. Even tightly controlled monolithic
corporations like Microsoft cannot prevent rouge programmers
from sneaking in back-doors; as in the "Netscape engineers
are weenies" exploit that existed in IIS years ago. If you
want to eliminate liability for yourself then insert a "best
effort but no guarantees" clause into the contract, and make
certain there is no confusion about it. Be sure to cite how
EULAs always disclaim all responsibility, and also have one
of Microsoft's EULAs printed out with the critical sections
For security, Linux gives the following benefits (among
1 - Better design as security was built from the beginning
into every facet, and it inherited from Unix 30+ years of
refinement in network operating systems.
2 - More scientifically tested and extensively peer reviewed
at every level because of it being open source while
prominent in the most hostile environment -- the Internet.
Microsoft's own Balmer admitted that it would cause a
computer security catastrophe if Windows code were ever
given the same scrutiny by being open to the public --
damning remarks you might want to have available.
> Question is what's the best way for us to certify this? *
> rpm -Va ? * A global md5 on each file?
Everything I wrote still applies. Furthermore, did Red Hat
insert a back door, or did they miss someone else's? RPM is
little help in those cases.
Scientific methodology, merit (not marketing) based
evolution of using the best from the global programming
community, and peer review are some security benefits of
Linux. I suggest you do not lessen these things by using a
corporation like RH, and use a distribution that is more
open in the community. Red Hat's distribution (not Fedora)
is not getting peer reviewed as it should, and their
mis-behavior is directly responsible for that. Ultimately,
even when dismissing the technical arguments, you should
look elsewhere for reasons of professional ethics. Would
you be doing any service to move them from one company's
lock-in to just another blood sucking company with dirty
tricks and the type of EULAs most people have come to
despise? They are trying to move to a more open and secure
system, so using RH only betrays their trust. Before you
dispute this, carefully consider how you could review RH's
"enhancements" for security issues. What hurdles would you
need to cross to do it? Then consider the chilling effects
upon security, openness, and community. They play words
games and stretch the GPL to its limits, but behind their
smoke something is happening that is very wrong and
destructive to Linux. Don't be part of something like that.
> Also, what's the best way to minimize liability if they
> are hacked? I don't want to get sued because the were
Tell the truth, the whole truth, and nothing but the truth.
Make sure it is in writing and signed.
-- Thomas Corriher A.I.M.: corriherct phone: 336-391-2713 "Welcome to Mrs. Bush, and my fellow astronauts." -- George W. Bush