Fedora rejects hacking tool SQLninja

In February November 8, the Fedora board meeting discussed whether to add the SQL Injection Check Tool SQLninja to the release. The final result of the discussion was a rejection, mainly because it worried that the legal risks faced by the ora publisher would increase, and Fedora believed that it was useless except for illegal purposes. FedorarejectsSQLninja [PostedNovember10, 2010 bycorbet] From: MairinD

In February November 8, the Fedora board meeting discussed whether to add the SQL Injection Check Tool SQLninja to the release. The final result of the discussion was a rejection, mainly because it worried that the legal risks faced by the ora publisher would increase, and Fedora believed that it was useless except for illegal purposes.

Fedora rejects SQLninja
[Posted November 10,201 0 by corbet]
From: Mairin duy
To: advisory-board-AT-lists.fedoraproject.org
Subject: Fedora Board Recap 2010-11-08
Date: Mon, 08 Nov 2010 16:25:32-0500
Message-ID: <1289251532.27252.10.camel @ Brigid>
Archive-link: Article, Thread

(These notes are available in wiki format at the following URL:
Https://fedoraproject.org/wiki/Meeting:Board_meeting_2010 ...)

Below find the full minutes from today's Board meeting.

~ M

= Board Meeting 2010 Nov 08 =

= Roll Call =

=== Present ===
* Tom "spot" Callaway
* Rex Dieter
* Jared Smith
* Máir ín Duffy
* Jon Stanley
* Matt Domsch
* Colin Walters
* Chris Taylor

=== Absent ===
''(None )''

=== Regrets ===
* Christopher Aillon
* Stephen Smoogen

= Agenda =

'''Updates '''
* F14 shipped! Hooray! Now let's get to work on F15

'''Board Business :'''
* [[# Community_Working_Group | #82: Draft a charter for a Community
Working Group] (https://fedorahosted.org/board/ticket/82)
* [[# OpenRespect.org | http://openrespect.org -- Does the Fedora Board
Agree with this statement?]
* [[# New_Legal_Guideline | #86: New Legal Guideline]
Https://fedorahosted.org/board/ticket/86)
* [[# Fedora_Elections_Process | Fedora Elections Process]

= Community Working Group =

=== Specifics about the group ===
* '''Wiki page :'''
Https://fedoraproject.org/wiki/Fedora_Community_Working_G...
* Tasks for the group
** Will need to come up with code-of-conducting
** Come up with proposal to enforce (if deemed needed)
* Group will have 5 members
* Time duration:
** Limited time span, like Board-1 year lifetime.
** Jds2001 talked to Jeff Mitchell in KDE group, said it is not a big
Time sink.

=== Recruitment Process ===
* Karsten doesn' t want to join, but wants to be an insider journalist
For the Open Source Way
** That's fine by us, no opposition-notes need to be sensitive
Private meeting content, however.
* Everyone else contacted, one interested, rest not interested, or not
Interested in being a direct member of the group.

=== Candidate demo-===
* How to select candidates? We talked about lew.rex select them or
Having the Board vote, and decided to have a Board vote.
* '''Demo-: ''' We voted for 5 candidates + 1 alternate amongst
Nominations we have Ed. These candidates will be contacted. In the case
Where one of the candidates cannot serve, the alternate will be called
On. The candidates will be announced at some future point when they have
Been confirmed.

= OpenRespect.org =

=== Basic Information ===

* Joint statement between Linux distros about respecting each other &
Communicating in a friendly/civil manner at http://openrespect.org
** Jono Bacon wrote it.
** Jono Bacon talked to Jared about this, and said he wowould draft
Statement and wocould involve Jared but ended up releasing via his blog
Without collaborating before release and emailed Jared afterwards.

=== Board Discussion ===
* On first glance seems reasonable; what's the effect of having this out
There? So what? (Ctyler)
* KDE community member Aaron Seigo weighs in and decides not to 'sign'
Http://aseigo.blogspot.com/2010/11/commonality-and-commun...
** Makes the point that respect is earned. Be cordial & polite to folks
You don't know. There's a difference between being polite and respectful
(Spot)
* Jono's Blog post on it:
Http://www.jonobacon.org/2010/11/05/making-our-world-more...
** Tends to be slanted towards not 'picking on 'Canonical; the spin
Makes me uncomfortable (spot)
** Fab's comment on Jono's blog post points out difference
Respecting people and respecting companies (mizmo)
* Can have difference of opinion and still be polite (but respect? Not
Necessarily) (jsmith & jds2001)
** At the EtherPad FAD, someone tried to 'teach' Spot about licensing...
Spot had to be polite & nice... but didn't feel he respected his point
Of view. Made every effort to be polite & cordial. Was that respectful?
Maybe not, but 125% trying to be polite and not saying anything hurtful.
There is a difference... if you disagree with someone who has lots
Well-research reasons for a different standpoint, still can be
Respected. (spot)
* Don't see your sion of legitimate criticism... that wocould be another
Concern about how this is shaped (ctyler)
* Engaging honest, open, and polite debate. Does debate count
Criticism or is it okay? (Rdieter)
** Statement seems to be anti-critcism. Hard time accepting as-is in
That case rdieter)
* Think the statement shocould be about civility, not respect (mizmo)
(Spot + 1)
* Not sure (a) why this is necessary (B) what do we get from being
Part of it? (Mdomsch)
* All the communities in FLOSS struggling to deal with these issues,
Maybe cocould be part of the discussion but not the endpoint (ctyler ?)
* Concern: What about new guys (or gals) without a track record? How can
They be counted too? (Mdomsch)
** Respect is an aspect of new folks coming in, but courtesy & patience
Are probably more applicable. if you show a new person courtesy &
Patience, they have a chance to tackle the problems & earn respect
(Spot)
** 'Respect 'has a lot of different meanings... having respect
Someone is different than being disrespectful (spot)
* ** Openantidisrespect.org (rdieter)

=== Board demo-===
* How do we move forward? Say we don't approve it? Make wording change
Suggestions? Ignore what he's doing and do our own thing? (Jsmith)
** '''Demo-: ''' Say we don't approve of the statement and wowould like
To be involved earlier on similar efforts? (Spot)
** '''Demo-: ''' Can we ask jono to go back to the problem statement
And solicit some brainstorm/ideas (from various FLOSS projects) on how
To solve the problem? (Mizmo)
** ''' Demo-: ''' Point out a focus on civility as opposed to respect.
(Rex, mizmo + 1)
** ''' Idea: ''' Could be cool to have a portal that points to various
FLOSS projects 'statements/inform ies/codes-of-conducts? <= At least then
The website wocould serve an actual purpose:-p (mizmo)

= New Legal Guideline =

=== Basic Information ===
* SQLninja package review request submitted. All that it does is try
Exploit vulnerabilities in SQL queries to give you root access on remote
Systems/root equivalent on Windows systems. (Package request:
Https://bugzilla.RedHat.com/show_bug.cgi? Id = 637402)
* Argument for SQLninja to be added to Fedora is that it is
'Penetration testing tool .'
* Where is the line between what we wocould take into Fedora B/c it is
Free software vs. how hazardous it might be?
* We never had an explicit policy on this; wanted to wait until we
Actually encountered it.
* RH Legal:
** Want us to add some text (text in ticket 86)-gives us another
Loophole to add to the legal guidelines so we have the right to say
App is too risky/too likely to be used for illegal/dangerous reasons.
So we can have some discretion over what is already ded.
** We do bear some additional risk from carrying a tool like this-
Hacker can claim he didn't know about the tool before we made it visible
To him. Not terribly likley but concerning.

=== Proposal ===
* Spot proposes we add the new legal text, and also wowould like us
Decide on what to do about SQLninja in particle.

=== Board Discussion ===
* Just bc you give someone a gun, it doesn't mean they aren't going
Shoot someone with it. (jds2001)
** This is advertised as 'get root on remote systems '-it doesn' t
Advertise itself as a security tool. (spot)
** Does it matter what they market themselves? (Colin)
** What about the Mozilla extension that creates webtraffic and logs you
Into websites... might be instructive to know what Mozilla's guidelines
For extensions are. (colin)
* ** Wasn't distributed by Mozilla, was distributed by developers
* Does the benefit of this app outweigh the risk? (Spot)
** Talked to a couple of folks who work in security, and they said
Having tools like this easily accessible is useful for them. However, is
That the primary use case in practice? (Spot)
* We package Jack the Ripper (mdomsch)
** Less concerning because it's not remote/aggressive exploit, need
Actual password file from the system. Valid case of oh I forgot
Password. (Spot)
** If legitimate use seems to be more common than not, seems okay to me
(Spot)
* What is the actual risk? (Mdomsch)
** Really hard to say (spot)
* Some legal disclaimer for the software we provide? We can't review
Everything? (Colin)
** Spot asked about disclaiming liability for what people do with
Software-Legal said we can do that but it doesn' t really do us
Anything.
** For it to be more meaningful, digital signature... linoleic won't help
Because you don't have to be a contributor to use it.
** Software creators already disclaiming liability through GPL
* Upstream claims SQLninja too complex to set up, so not useful
Script kiddies. Has wording like, 'Feel free to have fun with this tool,
But this might get you in trouble with a lot of law enforcement
Agencies. '(Spot)
* Who gets the discretion? FESCo? Board? Fedora Legal?
** If a legal nature, shocould be Board (jsmith, Spot) text updated
Reflect this
* Unfair to submit expostfacto blockers to packages (jds2001)
** SQLninja hasn't actually been reviewed yet so it's not ex-postfacto
(Spot)

=== The Statement to be added to our legal guidelines ===

"Where, objectively speaking, the package has essential no useful
Foreseeable purposes other than those that are highly likely to be
Illegal or unlawful in one or more major jurisdictions in which Fedora
Is distributed or used, such that distributors of Fedora will face
Heightened legal risk if Fedora were to include the package, then
Fedora Project Board has discretion to deny your sion of the package
That reason alone ."

=== Votes ===

'''Should we add this text to the Legal guidelines? '''

* Add the language: ++
* Don't add language:

'''Should we approve or deny the SQLninja request in particle? '''

* Yes, SQLninja is okay to add:
* No, SQLninja shouldn't be added: ++

=== Board demo-===

* We will add Spot's proposed langauge to the Fedora legal guidelines.
(Unanimous)
* We won't allow the SQLninja package to be added to Fedora. (unanimous)

= Fedora Elections Process =

* Nobody really stepped up to manage
** Chris Taylor has time to step in now
** Symptom of larger problem of heavily-involved folks getting burnt out
(Mdomsch)
** New Fedora Program manager coming onboard soon, taking over John
Poelstra's job. Will be announced via Jared's blog soon. (jsmith)
** Suggestion: Add election coordination to Fedora Program manager job
Description (spot)
* People didn't know where to submit their answers to the questionnaire
-Ongoing confusion on the list today

= Next Meeting =
Friday, November 12th (IRC office hours)
Monday, November 15th (Secretary: Smoogen)

[[Category: Board_meetings]

 

_______________________________________________
Advisory-board mailing list
Advisory-board@lists.fedoraproject.org