Fedora Board Recap 2010-11-08

Jared K. Smith jsmith at fedoraproject.org
Tue Nov 9 14:11:43 UTC 2010 

On Tue, Nov 9, 2010 at 3:39 AM, Joerg Simon <jsimon at fedoraproject.org> wrote:
> I have a question regarding the consequences of this above decision for
> the Fedora Security Lab. Fedora as Security Test Platform has a big
> usecase - from what i see here in Germany and i work with the ISECOM to
> develop a good learning platform for teaching security, based on our
> Fedora Security Lab. With FSL we ship already a lot of "tools" which can
> do very bad things and can be used to spoof, attack, decrypt or brute
> force - and where to draw the line? even nc can do a lot harm.

This is something we debated for quite a while in the Board meeting.
I think we as the Board tend to agree -- there are a *lot* of security
tools that are very useful, but can also be used maliciously.  The
question of where to draw the line (or lines, as the case may be) is
not easy, but here were some of the guidelines we used in making our
decision:

* Does the application increase the potential for  legal threats
against Fedora (and Red Hat, as our primary sponsor)?
* Does the application have significant non-malicious uses?
* Is this an application that could be easily hosted in a third-party
repository?

In the case of this particular application, it seems the authors have
gone out of their way to say "This is a tool for automating SQL
injection attacks so that you can exploit someone else's system", and
as such, does open Fedora up to some legal risk.  I'm not a lawyer,
but I know Spot (as the official Fedora legal representative) well
enough to know that if it makes him nervous, that I should probably be
a bit nervous as well.

In short, it's a really tough judgment call.  We ended up taking two
votes -- one for the additional language to clarify the Board's stance
on this type of software, and another vote on whether or not to
include the application in Fedora.  In the end I voted to excluding
this application because I figured that if someone is smart enough to
use it for non-malicious purposes, they're probably smart enough to
find it in a third-party repository or package it themselves.  In a
perfect world we wouldn't have to make nearly so many subjective
judgment calls like this one, but we don't live in a perfect world.

Does this clarify the decision for you?

--
Jared Smith
Fedora Project Leader

More information about the advisory-board mailing list