Fedora Board Recap 2010-11-08

Richard Fontana rfontana at redhat.com
Wed Nov 10 01:57:59 UTC 2010

On Tue, Nov 09, 2010 at 05:51:13PM -0700, Stephen John Smoogen wrote:
> On Tue, Nov 9, 2010 at 15:43, Ricky Zhou <ricky at fedoraproject.org> wrote:
> > I disagree a bit here - while the author is very explicit about what the
> > tool actually does, I think he makes it pretty clear as well that it's
> > targetted at penetration testers.
> >
> > Just another data point - I sometimes participate in computer security
> > competitions where tools like this could be useful in a legal way.
> >
> > I'm pretty surprised to see that we've decided to disallow a package
> > like this when the actual legal risks to us/Red Hat haven't been
> > discussed or even determined.  Do you think this might have been a
> > little bit of a kneejerk reaction to some vague and yet-to-be determined
> > legal fears?
> >
> > Just to be clear, I'm not against the statement that was added to the
> > legal guidelines, I just don't see why this package in particular didn't
> > pass the test for having useful legal purposes (or how its inclusion
> > causes any actual heightened legal risk).  I'm afraid that this decision
> > will set a bad precedent when looking at other packages in the future.
> I apologize to various people for not being able to attend Monday's
> meeting. I am in a weird position here, while I have not used this
> particular tool, I have pretty much used every one on the security
> list over time in security work. I have also found pretty much all
> those tools on compromised machines over time. My security
> administrator hat says that even sqlninja has a place in figuring out
> where you stand in the sewer of network security. However I also
> realize that liability law in the United States make this a
> troublesome issue for a public company.
> Looking over the discussion, I do not believe I could have brought
> anything substantive to change people's minds. I understand the
> decision even if I do not agree with it. I can see that tools like
> this and metasploit being troublesome from a liability issue and
> bringing it up again for reconsideration is not going to help.

Hi there,

I have a question about the Board minutes on this issue. The minutes
say that the Board added a new legal guideline covering this sort of
situation, and then the Board voted to deny permission to package
sqlninja in Fedora. Did the Board specifically make the second
decision by applying the just-appoved guideline?

- RF

More information about the advisory-board mailing list