On Tue, Nov 9, 2010 at 15:43, Ricky Zhou <ricky@xxxxxxxxxxxxxxxxx> wrote: > On 2010-11-09 09:11:43 AM, Jared K. Smith wrote: >> In the case of this particular application, it seems the authors have >> gone out of their way to say "This is a tool for automating SQL >> injection attacks so that you can exploit someone else's system", and >> as such, does open Fedora up to some legal risk. I'm not a lawyer, >> but I know Spot (as the official Fedora legal representative) well >> enough to know that if it makes him nervous, that I should probably be >> a bit nervous as well. > I disagree a bit here - while the author is very explicit about what the > tool actually does, I think he makes it pretty clear as well that it's > targetted at penetration testers. > > Just another data point - I sometimes participate in computer security > competitions where tools like this could be useful in a legal way. > > I'm pretty surprised to see that we've decided to disallow a package > like this when the actual legal risks to us/Red Hat haven't been > discussed or even determined. Do you think this might have been a > little bit of a kneejerk reaction to some vague and yet-to-be determined > legal fears? > > Just to be clear, I'm not against the statement that was added to the > legal guidelines, I just don't see why this package in particular didn't > pass the test for having useful legal purposes (or how its inclusion > causes any actual heightened legal risk). I'm afraid that this decision > will set a bad precedent when looking at other packages in the future. I apologize to various people for not being able to attend Monday's meeting. I am in a weird position here, while I have not used this particular tool, I have pretty much used every one on the security list over time in security work. I have also found pretty much all those tools on compromised machines over time. My security administrator hat says that even sqlninja has a place in figuring out where you stand in the sewer of network security. However I also realize that liability law in the United States make this a troublesome issue for a public company. Looking over the discussion, I do not believe I could have brought anything substantive to change people's minds. I understand the decision even if I do not agree with it. I can see that tools like this and metasploit being troublesome from a liability issue and bringing it up again for reconsideration is not going to help. >From an infrastructure point of view, do we need to make sure that this and similar tools are not on repos or similar fedoraproject.org places? -- Stephen J Smoogen. "The core skill of innovators is error recovery, not failure avoidance." Randy Nelson, President of Pixar University. "Let us be kind, one to another, for most of us are fighting a hard battle." -- Ian MacLaren _______________________________________________ advisory-board mailing list advisory-board@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/advisory-board
