Fedora Board Recap 2010-11-08

Ricky Zhou ricky at fedoraproject.org
Tue Nov 9 22:43:51 UTC 2010

On 2010-11-09 09:11:43 AM, Jared K. Smith wrote:
> In the case of this particular application, it seems the authors have
> gone out of their way to say "This is a tool for automating SQL
> injection attacks so that you can exploit someone else's system", and
> as such, does open Fedora up to some legal risk.  I'm not a lawyer,
> but I know Spot (as the official Fedora legal representative) well
> enough to know that if it makes him nervous, that I should probably be
> a bit nervous as well.
I disagree a bit here - while the author is very explicit about what the
tool actually does, I think he makes it pretty clear as well that it's
targetted at penetration testers.

Just another data point - I sometimes participate in computer security
competitions where tools like this could be useful in a legal way.

I'm pretty surprised to see that we've decided to disallow a package
like this when the actual legal risks to us/Red Hat haven't been
discussed or even determined.  Do you think this might have been a
little bit of a kneejerk reaction to some vague and yet-to-be determined
legal fears?

Just to be clear, I'm not against the statement that was added to the
legal guidelines, I just don't see why this package in particular didn't
pass the test for having useful legal purposes (or how its inclusion
causes any actual heightened legal risk).  I'm afraid that this decision
will set a bad precedent when looking at other packages in the future.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/advisory-board/attachments/20101109/d0660c82/attachment.bin 

More information about the advisory-board mailing list