Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Re: Certifying a RedHat Install
From: Peter H. Lemieux (phlcyways.com)
Date: Thu Jul 15 2004 - 10:04:13 CDT
First of all, before you ship anything, you need to have your client sign a
contract that includes the industry-standard language exempting you from any
contingent liabilities. If she balks, show her the following language that
applies to every single Microsoft product her company owns. (Sorry for the
caps, but that's the way it appears in the license.)
EXCLUSION OF INCIDENTAL, CONSEQUENTIAL, AND CERTAIN OTHER DAMAGES. TO THE
MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL MICROSOFT OR
ITS SUPPLIERS BE LIABLE FOR ANY SPECIAL, INCIDENTAL, INDIRECT, OR
CONSEQUENTIAL DAMAGES WHATSOEVER (INCLUDING, BUT NOT LIMITED TO, DAMAGES FOR
LOSS OF PROFITS OR CONFIDENTIAL OR OTHER INFORMATION, FOR BUSINESS
INTERRUPTION, FOR PERSONAL INJURY, FOR LOSS OF PRIVACY, FOR FAILURE TO MEET
ANY DUTY INCLUDING OF GOOD FAITH OR OF REASONABLE CARE, FOR NEGLIGENCE, AND
FOR ANY OTHER PECUNIARY OR OTHER LOSS WHATSOEVER) ARISING OUT OF OR IN ANY
WAY RELATED TO THE USE OF OR INABILITY TO USE THE PRODUCT, THE PROVISION OF
OR FAILURE TO PROVIDE SUPPORT SERVICES, OR OTHERWISE UNDER OR IN CONNECTION
WITH ANY PROVISION OF THIS EULA, EVEN IN THE EVENT OF THE FAULT, TORT
(INCLUDING NEGLIGENCE), STRICT LIABILITY, BREACH OF CONTRACT, OR BREACH OF
WARRANTY OF MICROSOFT OR ANY SUPPLIER, AND EVEN IF MICROSOFT OR ANY SUPPLIER
HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
RedHat has similar language in its End-User Licensing Agreement for RH9:
You simply can't assume any liabilities in this regard. It's just too easy
to blame a software failure, and thus you, for thousands and thousands of
dollars of "consequential" damages resulting from loss of business, etc.
That road leads to enormous legal fees and probably bankruptcy for you.
Has your client imposed the same certification requirement on every supplier
who has shipped a Windows server? Certainly a quick scan of the
vulnerabilities database at cert.org would show quickly that any Windows
server also has "back doors."
What about some vulnerability in the future that has yet to be discovered?
In just the past few months we've found holes in the Linux kernel and
OpenSSL. How can you certify the absence of something that has yet to be
All I think you can promise, especially given that you're using a commercial
distribution, is that you will ship a server that includes all the currently
available upgrades (including those at fedoralegacy.org since RH9 is no
longer officially supported). I usually include a clause in my support
contracts that promises to "review" the software installed on the server
twice annually during the term of the contract and to install, at my
discretion, any updates I deem required. More than this I'm not willing to
promise, nor should you.
PS: If you don't have written contracts, or alternatively a published
licensing agreement that your clients can read and (at least implicitly)
accept, you need to talk to your lawyer!
> My client wants me to certify there are no back doors in the RedHat 9
> server we are going to deliver. It's a base RH9 install with a few
> extra RPM's, like Guarddog.
> Question is what's the best way for us to certify this?
> * rpm -Va ?
> * A global md5 on each file?
> Also, what's the best way to minimize liability if they are hacked? I
> don't want to get sued because the were negligent.