I saw from the minutes of the Nov 8 board meeting that the board voted to adopt the following new policy: "Where, objectively speaking, the package has essentially no useful foreseeable purposes other than those that are highly likely to be illegal or unlawful in one or more major jurisdictions in which Fedora is distributed or used, such that distributors of Fedora will face heightened legal risk if Fedora were to include the package, then the Fedora Project Board has discretion to deny inclusion of the package for that reason alone." and voted to deny the request to add SQLninja as a package. The minutes do not make clear the justification for denying SQLninja. I wonder if there might be some confusion over the general nature of penetration testing tools. 1) I don't know whether the board thought that SQLninja violated the new policy. If that's what the board thought, I believe the board was mistaken. Perhaps it would help to point out that SQLninja most likely *does* have useful foreseeable purposes that are not illegal or lawful: namely, penetration testing. The minutes suggest that board members seem to think that SQLninja has no beneficial use. The minutes also suggest confusion about penetration testing tools in general. I saw in the minutes the objection that SQLninja is advertised as 'get root on remote systems'. Are the board members aware that many penetration testing tools can be used to get root on remote systems, and it is precisely for this reason that they are useful for (legal, lawful, authorized) penetration testing? Are the board members aware that legal penetration testing can, and sometimes does, include getting root on remote systems? To be clear: the new policy does not justify denying inclusion of SQLninja. SQLninja does not fall into the category that the policy articulates. 2) Some board members appear to have raised legal concerns. However those were not made explicit in the minutes and it looks like there has not been an analysis or ruling from Fedora Legal. Before the board ruled, the add package request (bug #63402) was blocked on FE-LEGAL, but it looks like the board voted to deny the request before hearing from FE-LEGAL. Moreover, I cannot find any place where the legal concerns are articulated, let alone reference to particular statute or justification for a concern. If the board is denying a package based upon legal concerns, can I suggest that the board ought to wait until it has an analysis from FE-LEGAL before voting to deny? Of course, it is Fedora's choice whether it wants to package SQLninja, or any penetration testing tool, or indeed any security-related tool at all. However, I am concerned that the board has made a hasty decision based upon a misunderstanding of the nature of these tools. Therefore, I would recommend that the board take this up for reconsideration at the next board meeting. _______________________________________________ advisory-board mailing list advisory-board@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/advisory-board
