Fedora Board Recap 2010-11-08

Stephen John Smoogen smooge at gmail.com
Wed Nov 10 00:51:13 UTC 2010

On Tue, Nov 9, 2010 at 15:43, Ricky Zhou <ricky at fedoraproject.org> wrote:
> On 2010-11-09 09:11:43 AM, Jared K. Smith wrote:
>> In the case of this particular application, it seems the authors have
>> gone out of their way to say "This is a tool for automating SQL
>> injection attacks so that you can exploit someone else's system", and
>> as such, does open Fedora up to some legal risk.  I'm not a lawyer,
>> but I know Spot (as the official Fedora legal representative) well
>> enough to know that if it makes him nervous, that I should probably be
>> a bit nervous as well.
> I disagree a bit here - while the author is very explicit about what the
> tool actually does, I think he makes it pretty clear as well that it's
> targetted at penetration testers.
> Just another data point - I sometimes participate in computer security
> competitions where tools like this could be useful in a legal way.
> I'm pretty surprised to see that we've decided to disallow a package
> like this when the actual legal risks to us/Red Hat haven't been
> discussed or even determined.  Do you think this might have been a
> little bit of a kneejerk reaction to some vague and yet-to-be determined
> legal fears?
> Just to be clear, I'm not against the statement that was added to the
> legal guidelines, I just don't see why this package in particular didn't
> pass the test for having useful legal purposes (or how its inclusion
> causes any actual heightened legal risk).  I'm afraid that this decision
> will set a bad precedent when looking at other packages in the future.

I apologize to various people for not being able to attend Monday's
meeting. I am in a weird position here, while I have not used this
particular tool, I have pretty much used every one on the security
list over time in security work. I have also found pretty much all
those tools on compromised machines over time. My security
administrator hat says that even sqlninja has a place in figuring out
where you stand in the sewer of network security. However I also
realize that liability law in the United States make this a
troublesome issue for a public company.

Looking over the discussion, I do not believe I could have brought
anything substantive to change people's minds. I understand the
decision even if I do not agree with it. I can see that tools like
this and metasploit being troublesome from a liability issue and
bringing it up again for reconsideration is not going to help.

>From an infrastructure point of view, do we need to make sure that
this and similar tools are not on repos or similar fedoraproject.org

Stephen J Smoogen.
"The core skill of innovators is error recovery, not failure avoidance."
Randy Nelson, President of Pixar University.
"Let us be kind, one to another, for most of us are fighting a hard
battle." -- Ian MacLaren

More information about the advisory-board mailing list