SQLninja denial

David Wagner advisory at cs.berkeley.edu
Mon Nov 15 02:05:03 UTC 2010

I saw from the minutes of the Nov 8 board meeting that the board
voted to adopt the following new policy:

 "Where, objectively speaking, the package has essentially no useful
 foreseeable purposes other than those that are highly likely to be
 illegal or unlawful in one or more major jurisdictions in which Fedora
 is distributed or used, such that distributors of Fedora will face
 heightened legal risk if Fedora were to include the package, then the
 Fedora Project Board has discretion to deny inclusion of the package
 for that reason alone."

and voted to deny the request to add SQLninja as a package.

The minutes do not make clear the justification for denying SQLninja.
I wonder if there might be some confusion over the general nature of
penetration testing tools.

1) I don't know whether the board thought that SQLninja violated the
new policy.  If that's what the board thought, I believe the board was
mistaken.  Perhaps it would help to point out that SQLninja most likely
*does* have useful foreseeable purposes that are not illegal or lawful:
namely, penetration testing.

The minutes suggest that board members seem to think that SQLninja has no
beneficial use.  The minutes also suggest confusion about penetration
testing tools in general.  I saw in the minutes the objection that
SQLninja is advertised as 'get root on remote systems'.  Are the board
members aware that many penetration testing tools can be used to get
root on remote systems, and it is precisely for this reason that they
are useful for (legal, lawful, authorized) penetration testing?  Are the
board members aware that legal penetration testing can, and sometimes
does, include getting root on remote systems?

To be clear: the new policy does not justify denying inclusion of
SQLninja.  SQLninja does not fall into the category that the policy

2) Some board members appear to have raised legal concerns.  However
those were not made explicit in the minutes and it looks like there has
not been an analysis or ruling from Fedora Legal.  Before the board
ruled, the add package request (bug #63402) was blocked on FE-LEGAL,
but it looks like the board voted to deny the request before hearing
from FE-LEGAL.  Moreover, I cannot find any place where the legal
concerns are articulated, let alone reference to particular statute or
justification for a concern.  If the board is denying a package based
upon legal concerns, can I suggest that the board ought to wait until
it has an analysis from FE-LEGAL before voting to deny?

Of course, it is Fedora's choice whether it wants to package SQLninja, or
any penetration testing tool, or indeed any security-related tool at all.
However, I am concerned that the board has made a hasty decision based
upon a misunderstanding of the nature of these tools.   Therefore,
I would recommend that the board take this up for reconsideration at
the next board meeting.

More information about the advisory-board mailing list