SQLninja denial

[Máirín Duffy]

On Sun, 2010-11-14 at 18:05 -0800, David Wagner wrote:
> The minutes also suggest confusion about penetration
> testing tools in general.  

What confusion did you see?

> I saw in the minutes the objection that
> SQLninja is advertised as 'get root on remote systems'.  Are the board
> members aware that many penetration testing tools can be used to get
> root on remote systems, and it is precisely for this reason that they
> are useful for (legal, lawful, authorized) penetration testing?

It may not have been clear from the minutes, but it's pretty safe to say
the board members are & were aware of this.

>   Are the
> board members aware that legal penetration testing can, and sometimes
> does, include getting root on remote systems?

Do you use SQLninja for penetration testing? Had you heard of it before?
What penetration testing tools do you use? Is the language they use to
explain & advertise their tools similar to that used for SQLninja? How
do you find out about penetration testing tools? How many of the ones
you use are GPL? 

> 2) Some board members appear to have raised legal concerns.  However
> those were not made explicit in the minutes and it looks like there has
> not been an analysis or ruling from Fedora Legal.  Before the board
> ruled, the add package request (bug #63402) was blocked on FE-LEGAL,
> but it looks like the board voted to deny the request before hearing
> from FE-LEGAL.  Moreover, I cannot find any place where the legal
> concerns are articulated, let alone reference to particular statute or
> justification for a concern. 

I took the meeting minutes. Generally sensitive discussion is excluded
from meeting minutes.

~m