Not logged in
Log in now
Create an account
Subscribe to LWN
LWN.net Weekly Edition for May 23, 2013
An "enum" for Python 3
An unexpected perf feature
LWN.net Weekly Edition for May 16, 2013
A look at the PyPy 2.0 release
"Mr. police officer, I didn't know anything about these scary tools until Evil Fedora People showed me them"
Fedora rejects SQLninja
Posted Nov 10, 2010 18:02 UTC (Wed) by fandingo (subscriber, #67019)
On sqlninja's web page, the only two demos both detail how to not only identify vulnerable servers, but to hack into them and gain shell/GUI access. I would argue that this isn't a "security" tool insofar as it is useful to use tools that attackers use. Instead, this is a hacking tool, and should not be included.
Posted Nov 10, 2010 18:34 UTC (Wed) by ewan (subscriber, #5533)
The problem with that is that it's an ethical position, and people's ethics differ. Fedora is an explicitly pro-Free software organisation, so it makes sense to take a distribution wide view on that, but there's no such single view on other issues. This particular issue may seem like a relatively uncontentious one, but it's just as 'off topic' for Fedora as more obviously controversial ethical stances would be.
Posted Nov 10, 2010 20:48 UTC (Wed) by ebiederm (subscriber, #35028)
Your objection to an ethical stance on ethical grounds is amusing.
Posted Nov 10, 2010 22:07 UTC (Wed) by ewan (subscriber, #5533)
Posted Nov 11, 2010 11:26 UTC (Thu) by jwakely (subscriber, #60262)
Posted Nov 11, 2010 13:32 UTC (Thu) by fandingo (subscriber, #67019)
Posted Nov 11, 2010 13:38 UTC (Thu) by rahulsundaram (subscriber, #21946)
Actually, the review request filed was blocking on legal to approve it. So it was never in the Fedora repository at any point.
Posted Nov 11, 2010 13:53 UTC (Thu) by ewan (subscriber, #5533)
The problem with this specific decision is that the policy wording seeks to exclude things that have "no useful foreseeable purposes other than those that are highly likely to be illegal or unlawful" but SQLninja doesn't seem to meet that test - using it on your own systems, as has been mentioned several times in this thread alone, is both legal and foreseeable.
If Fedora is going to set up a policy that says one thing, then do something else because the software makes the board members feel icky, that seems like a bad thing.
Posted Nov 11, 2010 17:21 UTC (Thu) by Cato (subscriber, #7643)
The solution is for someone to do a Fedora-based security oriented distro, like Backtrack, which is aimed at pen testing: http://www.backtrack-linux.org/
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds