Fedora拒绝黑客工具SQLninja

11月8日举行的Fedora董事会议上讨论了是否在发行版中加入SQL注入检查工具SQLninja。讨论的最终结果是否决，主要理由是担心Fedora发行商面临的法律风险会增加，Fedora认为它除了非法用途外，本身没什么用。

Fedora rejects SQLninja
[Posted November 10, 2010 by corbet]
From:   Mairin Duffy  
To:   advisory-board-AT-lists.fedoraproject.org 
Subject:   Fedora Board Recap 2010-11-08 
Date:   Mon, 08 Nov 2010 16:25:32 -0500
Message-ID:   <1289251532.27252.10.camel@Brigid>
Archive-link:   Article, Thread 

(These notes are available in wiki format at the following URL:
https://fedoraproject.org/wiki/Meeting:Board_meeting_2010...)

Below find the full minutes from today's Board meeting.

~m

= Board Meeting 2010 Nov 08 =

== Roll Call ==

=== Present ===
*Tom "spot" Callaway
*Rex Dieter
*Jared Smith
*Máirín Duffy
*Jon Stanley
*Matt Domsch
*Colin Walters
*Chris Tyler

=== Absent ===
''(None)''

=== Regrets ===
*Christopher Aillon
*Stephen Smoogen

== Agenda ==

'''Updates'''
* F14 shipped!  Hooray! Now let's get to work on F15

'''Board Business:'''
* [[#Community_Working_Group | #82: Draft a charter for a Community
Working Group]] ( https://fedorahosted.org/board/ticket/82 )
* [[#OpenRespect.org | http://openrespect.org -- Does the Fedora Board
agree with this statement?]]
* [[#New_Legal_Guideline | #86: New Legal Guideline]]
( https://fedorahosted.org/board/ticket/86 )
* [[#Fedora_Elections_Process | Fedora Elections Process]]

== Community Working Group ==

=== Specifics about the group ===
* '''Wiki page:'''
https://fedoraproject.org/wiki/Fedora_Community_Working_G...
* Tasks for the group
** Will need to come up with code-of-conduct
** Come up with proposal to enforce (if deemed needed)
* Group will have 5 members
* Time duration:
** Limited time span, like Board - 1 year lifetime.
** jds2001 talked to Jeff Mitchell in KDE group, said it is not a big
time sink.

=== Recruitment Process ===
* Karsten doesn't want to join, but wants to be an insider journalist
for the Open Source Way
** That's fine by us, no opposition - notes need to be sensitive to
private meeting content, however.
* Everyone else contacted, one interested, rest not interested, or not
interested in being a direct member of the group.

=== Candidate Decision ===
* How to select candidates? We talked about letting Rex select them or
having the Board vote, and decided to have a Board vote.
* '''Decision:''' We voted for 5 candidates + 1 alternate amongst the
nominations we received. These candidates will be contacted. In the case
where one of the candidates cannot serve, the alternate will be called
on. The candidates will be announced at some future point when they have
been confirmed.

== OpenRespect.org ==

=== Basic Information ===

* Joint statement between Linux distros about respecting each other &
communicating in a friendly/civil manner at http://openrespect.org
** Jono Bacon wrote it.
** Jono Bacon talked to Jared about this, and said he would draft a
statement and would involve Jared but ended up releasing via his blog
without collaborating before release and emailed Jared afterwards.

=== Board Discussion ===
* On first glance seems reasonable; what's the effect of having this out
there? So what? (ctyler)
* KDE community member Aaron Seigo weighs in and decides not to 'sign'
http://aseigo.blogspot.com/2010/11/commonality-and-commun...
** Makes the point that respect is earned. Be cordial & polite to folks
you don't know. There's a difference between being polite and respectful
(spot)
* Jono's Blog post on it:
http://www.jonobacon.org/2010/11/05/making-our-world-more...
** Tends to be slanted towards not 'picking on' Canonical; the spin
makes me uncomfortable (spot)
** Fab's comment on Jono's blog post points out difference between
respecting people and respecting companies (mizmo)
* Can have difference of opinion and still be polite (but respect? not
necessarily) (jsmith & jds2001)
** At the EtherPad FAD, someone tried to 'teach' Spot about licensing...
Spot had to be polite & nice... but didn't feel he respected his point
of view. Made every effort to be polite & cordial. Was that respectful?
Maybe not, but 125% trying to be polite and not saying anything hurtful.
There is a difference... if you disagree with someone who has lots of
well-research reasons for a different standpoint, still can be
respected. (spot)
* Don't see inclusion of legitimate criticism... that would be another
concern about how this is shaped (ctyler)
* Engaging honest, open, and polite debate. Does debate count as
criticism or is it okay? (rdieter)
** Statement seems to be anti-critcism. Hard time accepting as-is in
that case rdieter)
* Think the statement should be about civility, not respect (mizmo)
(spot +1)
* Not sure (a) why this is necessary (b) what do we get from being a
part of it? (mdomsch)
* All the communities in FLOSS struggling to deal with these issues,
maybe could be part of the discussion but not the endpoint (ctyler ?)
* Concern: What about new guys (or gals) without a track record? How can
they be counted too? (mdomsch)
** respect is an aspect of new folks coming in, but courtesy & patience
are probably more applicable. if you show a new person courtesy &
patience, they have a chance to tackle the problems & earn respect
(spot)
** 'respect' has a lot of different meanings... having respect for
someone is different than being disrespectful (spot)
*** openantidisrespect.org (rdieter)

=== Board Decision ===
* How do we move forward? Say we don't approve it? Make wording change
suggestions? Ignore what he's doing and do our own thing? (jsmith)
** '''Decision:''' Say we don't approve of the statement and would like
to be involved earlier on similar efforts? (Spot)
** '''Decision:''' Can we ask jono to go back to the problem statement
and solicit some brainstorm / ideas (from various FLOSS projects) on how
to solve the problem? (mizmo)
** '''Decision:''' Point out a focus on civility as opposed to respect.
(Rex, mizmo+1)
** '''Idea:''' Could be cool to have a portal that points to various
FLOSS projects' statements/policies/codes-of-conducts? <= at least then
the website would serve an actual purpose :-p (mizmo)

== New Legal Guideline ==

=== Basic Information ===
* SQLninja package review request submitted. All that it does is try to
exploit vulnerabilities in SQL queries to give you root access on remote
systems / root equivalent on Windows systems. (Package request:
https://bugzilla.RedHat.com/show_bug.cgi?id=637402)
* Argument for SQLninja to be added to Fedora is that it is a
'penetration testing tool.'
* Where is the line between what we would take into Fedora b/c it is
free software vs. how hazardous it might be?
* We never had an explicit policy on this; wanted to wait until we
actually encountered it.
* RH Legal:
** Want us to add some text (text in ticket 86) - gives us another
loophole to add to the legal guidelines so we have the right to say the
app is too risky / too likely to be used for illegal/dangerous reasons.
So we can have some discretion over what is included.
** We do bear some additional risk from carrying a tool like this -
hacker can claim he didn't know about the tool before we made it visible
to him. Not terribly likley but concerning.

=== Proposal ===
* Spot proposes we add the new legal text, and also would like us to
decide on what to do about SQLninja in particular.

=== Board Discussion ===
* Just bc you give someone a gun, it doesn't mean they aren't going to
shoot someone with it. (jds2001)
** This is advertised as 'get root on remote systems' - it doesn't
advertise itself as a security tool. (spot)
** Does it matter what they market themselves as? (colin)
** What about the Mozilla extension that creates webtraffic and logs you
into websites... might be instructive to know what Mozilla's guidelines
for extensions are. (colin)
*** Wasn't distributed by Mozilla, was distributed by developers
* Does the benefit of this app outweigh the risk? (Spot)
** Talked to a couple of folks who work in security, and they said
having tools like this easily accessible is useful for them. However, is
that the primary use case in practice? (Spot)
* We package Jack the Ripper (mdomsch)
** Less concerning because it's not remote/aggressive exploit, need the
actual password file from the system. Valid case of oh I forgot the
password. (Spot)
** If legitimate use seems to be more common than not, seems okay to me
(Spot)
* What is the actual risk? (mdomsch)
** Really hard to say (spot)
* Some legal disclaimer for the software we provide? We can't review
everything? (Colin)
** Spot asked about disclaiming liability for what people do with the
software - Legal said we can do that but it doesn't really do us
anything.
** for it to be more meaningful, digital signature... CLA won't help
because you don't have to be a contributor to use it.
** Software creators already disclaiming liability through GPL
* Upstream claims SQLninja too complex to set up, so not useful for
script kiddies. Has wording like, 'Feel free to have fun with this tool,
but this might get you in trouble with a lot of law enforcement
agencies.' (Spot)
* Who gets the discretion? FESCo? Board? Fedora Legal?
** If a legal nature, should be Board (jsmith, Spot) text updated to
reflect this
* Unfair to submit expostfacto blockers to packages (jds2001)
** SQLninja hasn't actually been reviewed yet so it's not ex-postfacto
(spot)

=== The Statement to be added to our legal guidelines ===

"Where, objectively speaking, the package has essentially no useful
foreseeable purposes other than those that are highly likely to be
illegal or unlawful in one or more major jurisdictions in which Fedora
is distributed or used, such that distributors of Fedora will face
heightened legal risk if Fedora were to include the package, then the
Fedora Project Board has discretion to deny inclusion of the package for
that reason alone."

=== Votes ===

'''Should we add this text to the Legal guidelines?'''

* Add the language:++++++
* Don't add language:

'''Should we approve or deny the SQLninja request in particular?'''

* Yes, SQLninja is okay to add:
* No, SQLninja shouldn't be added: +++++++

=== Board Decision ===

* We will add Spot's proposed langauge to the Fedora legal guidelines.
(unanimous)
* We won't allow the SQLninja package to be added to Fedora. (unanimous)

== Fedora Elections Process ==

* Nobody really stepped up to manage
** Chris Tyler has time to step in now
** Symptom of larger problem of heavily-involved folks getting burnt out
(mdomsch)
** New Fedora Program manager coming onboard soon, taking over John
Poelstra's job. Will be announced via Jared's blog soon. (jsmith)
** Suggestion: Add election coordination to Fedora Program manager job
description (spot)
* People didn't know where to submit their answers to the questionnaire
- ongoing confusion on the list today

== Next Meeting ==
Friday, November 12th (IRC office hours)
Monday, November 15th (Secretary: Smoogen)

[[Category:Board_meetings]]

_______________________________________________
advisory-board mailing list
advisory-board@lists.fedoraproject.org