Fedora Board Recap 2010-11-08

[Joerg Simon]

Thanks for the excellent board recap,

Am 08.11.2010 22:25, schrieb Mairin Duffy:
> === The Statement to be added to our legal guidelines ===
> "Where, objectively speaking, the package has essentially no useful
> foreseeable purposes other than those that are highly likely to be
> illegal or unlawful in one or more major jurisdictions in which Fedora
> is distributed or used, such that distributors of Fedora will face
> heightened legal risk if Fedora were to include the package, then the
> Fedora Project Board has discretion to deny inclusion of the package for
> that reason alone."
> === Votes ===
> '''Should we add this text to the Legal guidelines?'''
> * Add the language:++++++
> * Don't add language:
> '''Should we approve or deny the SQLninja request in particular?'''
> * Yes, SQLninja is okay to add: 
> * No, SQLninja shouldn't be added: +++++++
> 
> === Board Decision ===
> * We will add Spot's proposed langauge to the Fedora legal guidelines.
> (unanimous)
> * We won't allow the SQLninja package to be added to Fedora. (unanimous)

I have a question regarding the consequences of this above decision for
the Fedora Security Lab. Fedora as Security Test Platform has a big
usecase - from what i see here in Germany and i work with the ISECOM to
develop a good learning platform for teaching security, based on our
Fedora Security Lab. With FSL we ship already a lot of "tools" which can
do very bad things and can be used to spoof, attack, decrypt or brute
force - and where to draw the line? even nc can do a lot harm.

just some of them are listed here:
https://fedorahosted.org/security-spin/wiki/availableApps

Such tools and security tests are not only to find vulnerabilities, it
is also to find out if the established security controls work good
enough to resist attacks from such tools - how to test that without such
tools? So if we want to do a proper Security Test, we have to use the
same methods like a real Attacker would do, but with the clear intention
to prevent crime.

I do no know the legal situation in the states, and that the german
situation is not important for the Fedora Project - so it is just a
notice that we have a so called "Hackerparagraph" here in Germany

http://tinyurl.com/2urm92p

but also a lot of legal court decision where the use with written
permission and contracts is declared as legal use - German Federal
Office for Information Security also offers such tools on a CD and got a
court decission where the use and offering of such tools is clear
permitted if it is intended to prevent crime.

Thanks for your clarification in this matter.


cu Joerg

-- 
Joerg (kital) Simon
jsimon at fedoraproject.org
http://fedoraproject.org/wiki/JoergSimon
http://kitall.blogspot.com
Key Fingerprint:
3691 0989 2DCA 58A2 8D1F 2CAC C823 558E 5B5B 5688

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://lists.fedoraproject.org/pipermail/advisory-board/attachments/20101109/c2de9a8a/attachment.bin