Enterprise Unix Roundup: We Get Letters -- The Indemnification Question

by Michael Hall

We re-evaluate our position on the importance of vendor indemnification as version 2.6.0 of the Linux Kernel is deemed ready for prime time. Vulnerabilities are found in lftp, CVS, and GnuPG. And we check out shopt, a way to tweak bash that provides a few silver bullets for the perils of the command line world.

In a recent Roundup, we addressed the question of legal indemnification for Linux users. The issue was on our mind because Hewlett-Packard offered indemnification for its Linux customers in September, and it seemed to us, at first blush, that other Linux companies (specifically Red Hat) might want to offer it as well. As we said back in the early fall:

"So far, few Linux companies have stepped up with assurances that they'll cover the court costs of companies adopting their products [...] what about Red Hat? Part of the strength of the Red Hat brand is its near synonymous association with Linux. That, in our view, confers some responsibility, too."

At the time, reader Larry Barton wrote to question our take on the matter, noting that indemnification isn't exactly a hot topic with most companies and further noting that IP indemnification is pretty much unheard of. Reader Burkhard Neidecker-Lutz was fairly succinct on the same issue:

"Like IBM, Red Hat pushes the capability to modify Linux to their enterprise customers, something that HP rules out with their indemnification offer. Instead they have aggressively tried to push SCO in court to put their cards on the table [...] Second, they have established the 1 Million US$ GPL defense fund.

What more do you want?"

We were in the process of rethinking our position even as these letters arrived: A Sun executive we spoke with said that prior to the SCO suit, he seldom heard about the issue from customers, but the two letters provided some useful perspective, too. Our sense at this time is that offering indemnification is more of a move aimed at calming nerves than of addressing a truly pressing concern, and Red Hat's efforts at clearing the air about Linux's status shouldn't go unnoted, even if they don't quite jibe with the sudden fashion of offering indemnification.

All the same, development methods aside, the thing that separates Linux from other operating systems right now, regardless of what their creators and vendors offer in the way of a legal aegis, is the SCO lawsuit, and that's why Linux is currently an exception to the normal silence on the issue. The question HP and Sun are addressing when they offer to indemnify their Linux customers is very much a matter of expediency introduced by SCO's threats to sue corporate Linux users for not honoring its licenses (which, we'll point out for the last time this year, haven't yet been established as valid by any court we're aware of).

So while we continue to think it's not a bad thing for companies like HP and Sun to offer customers assurances about their legal status in the form of indemnification, it seems less pressing than it did initially. If a court upholds SCO's claims to Linux and its right to license Linux to companies using it, indemnification will become a moot point as most respectable companies scramble to pay SCO off or jettison Linux in favor of something else.

Now that we are removed from the breathless press releases and general air of uncertainty SCO's worked hard to promote during the past year, we're less certain we'd be so quick to demand guarantees from Red Hat or anyone else.

In Other News

  • Linus Torvalds announced the release of Linux kernel 2.6.0. The traditional place to go for information on what's new with a new Linux release is Joe Pranevich's Wonderful World of Linux.
  • Novell released Nterprise Linux Services 1.0, which the company describes as "integrated file, print, messaging, directory and management services on Linux, wrapped in support, training and consulting services." Curious server administrators can take a look at the bundle by downloading an evaluation kit, the DirXML starter pack, and the company's GrouWise client. The product is supported on SUSE Enterprise Server 8 and Red Hat Enterprise/Advanced Server 2.1.
  • SCO has won assurances that any source code it's required to show in court during the course of its lawsuit against IBM will be kept secret: Only attorneys, the judge, and jury will be privy to it. SCO's problems with a distributed denial of service attack finally seemed to end early this week.
  • Sun announced that it's swapping out the 900 MHz UltraSPARC processors that drove its Sun Fire V1280 in favor of 1.2 GHz CPUs. The rack-mountable V1280 is scalable to 12 processors, and Sun is claiming a 30 percent speed bump.
  • According to a recent ServerWatch review, Sun's Sun Fire V120 might make the case for SPARC's ongoing value, offering good price and performance when compared to equivalent Xeon-based systems.
  • Speaking of Sun hardware: It slipped our mind last week, but the Sun Server Snapshot is now available. It offers a summary and at-a-glance table of Sun's server lineup, covering everything from its security appliance to its high-end offerings.

Security Roundup

  • lftp, an FTP and HTTP client, was found to be vulnerable to an HTML-parsing vulnerability that could allow arbitrary code to be executed with the user's permissions.
  • Revision control software CVS has a vulnerability that could allow attackers to create directories and files in the root directory.
  • GnuPG, a replacement for PGP, has a security failure that could, in the words of a recent advisory, "lead to a compromise of almost all ElGamal keys used for signing." El Gamal keys are relatively rare, but the advisory cautions users to "take immediate action and revoke your ElGamal signing keys. Furthermore you should take whatever measures necessary to limit the damage done for signed or encrypted documents using that key."

Tips of the Trade

We're pretty big fans of the GNU project's bash, the standard console shell for most Linux distributions and Apple's OS X 10.3. While we've got plenty of aliases and assorted other conveniences tucked away in our .bash_profile, we'd never gotten around to checking out shopt, which modifies the way bash behaves in certain circumstances, and provides several remedies for fat fingers and other perils of the command line world. Thanks to a friend (who also happens to be the author of a fairly popular piece of personal portal software) on a Unix-centric bbs we frequent, we looked around and found a set of tweaks worth sharing.

shopt is invoked by typing shopt, a switch (-s to enable a tweak, -u to disable it), and the option you want to tweak. Here are a few samples:

  • shopt -s cdspell corrects minor errors in a cd command. So if you're forever typing things like cd /ect/apache, once you set the cdspell tweak with shopt, bash will correct typos and change the directory to /etc/apache.
  • shopt -s checkhash checks to make sure that a hashed command exists before trying to execute it. If it doesn't, bash will search the command path before returning an error. This is handy, for example, for admins who replace a piece of software that came with their system with one they've compiled locally and placed in a different directory from the original, distributed software.
  • shopt -s dotglob includes files beginning with a "." in the results of pathname expansion.
  • shopt -s nocaseglob matches filenames without having to match case when performing a pathname expansion.

Quite a few other tweaks are available through shopt, all of which are documented on the bash man page. Thanks, Sam!

This article was originally published on Saturday Dec 20th 2003
Mobile Site | Full Site