A "clarification" from Fedora on the SQLNinja decision

[Posted November 17, 2010 by corbet]

From:		"Jared K. Smith" <jsmith-AT-fedoraproject.org>
To:		advisory-board <advisory-board-AT-lists.fedoraproject.org>
Subject:		Clarification regarding the Board's decision on SQLNinja
Date:		Tue, 16 Nov 2010 13:16:20 -0500
Message-ID:		<AANLkTimx7kEazXZ21dg0ppeBd4oeexd7DcfMR5umDq_f@mail.gmail.com>

As many of you are well aware, the Fedora Board made a decision not to
include the SQLNinja package at our November 8th meeting.  In the
meantime, I've received quite a bit of feedback, and I'd like to take
this opportunity to provide a bit of clarification on the Board's
decision.  (Much of this text came from a comment I made on a blog
post earlier this week -- but several people prodded me and told me it
would be better posted here.)

Much of the feedback in the press and the feedback that I've received
personally seems to come from a false assumption that the Fedora Board
is somehow going after any program that *could* be used maliciously.
That is not our intention at all. I think the discussion is much more
nuanced than that, so please allow me to explain if I may.

In our Board meeting last week, we looked at SQLNinja specifically.
Our goal wasn't to set precedent for how to handle all such packages
in the future -- we simple set out with the goal of deciding whether
or not SQLNinja should be part of Fedora.

In the specific case of the SQLNinja tool, it's obviously very
squarely within the gray area between "security professional tool" and
"script-kiddie weapon". Since it's in the gray area and was flagged
for legal review, Spot took the first stab at it, and determined that
it does in fact add some additional legal risk to Fedora to carry the
SQLNinja package.  But because that risk is currently unclear, he
brought it to the Board for further consideration.  Let me also point
out that the legal risk wasn't the only reason we decided not to carry
it. As I've articulated previously on the advisory-board list, there
were several questions we asked ourselves as we made the
determination:

* Does the application have the potential to increase our legal
liability in a significant way?
* Does the application have significant legitimate uses outside of
attacking a system?
* How does the application market itself? As a security tool? As an
easy way to exploit others?
* How difficult would it be for knowledgeable security professional to
build, versus an unskilled script-kiddie?
* Is this an application that could be easily hosted in a third-party
repository instead of Fedora?

Considering these questions against the other security tools that were
commonly mentioned in feedback I received (such as tcpdump), it is
pretty easy to see how they're different than SQLNinja. I should also
note that much of the objections to our decision were against blocking
security tools in general, not the SQLNinja package specifically.  (In
my own limited investigation, I have yet to find a single security
professional who was actively using the tool before our decision.
Others have since pointed out that they know of people actively using
SQLNinja.)  I should also point out that the SQLNinja package is
already available in one of the more popular third-party repositories,
so it's readily available to Fedora users, even if we choose not to
package it in the official Fedora repositories.

Given the level of feedback on this issue, however, the Fedora Board
voted to revisit this decision once they have some additional
information regarding the risks that SQLNinja might pose to Fedora.

Thanks for your comments and suggestions on this matter.

--
Jared Smith
Fedora Project Leader

A "clarification" from Fedora on the SQLNinja decision

Posted Nov 17, 2010 16:57 UTC (Wed) by mgedmin (subscriber, #34497) [Link] (1 responses)

Why did you put "clarification" in scare quotes?

A "clarification" from Fedora on the SQLNinja decision

Posted Nov 17, 2010 17:05 UTC (Wed) by corbet (editor, #1) [Link]

Because I'm not sure that the situation is a whole lot clearer. Because it was their word, and not mine.

A "clarification" from Fedora on the SQLNinja decision

Posted Nov 18, 2010 4:13 UTC (Thu) by djzort (guest, #57189) [Link] (5 responses)

another reason to use debian.

A "clarification" from Fedora on the SQLNinja decision

Posted Nov 18, 2010 4:24 UTC (Thu) by mjg59 (subscriber, #23239) [Link] (2 responses)

http://lwn.net/Articles/113644/

Posted Nov 19, 2010 11:53 UTC (Fri) by pr1268 (guest, #24648) [Link]

That was hilarious! Thanks for the link.

A "clarification" from Fedora on the SQLNinja decision

Posted Nov 19, 2010 12:53 UTC (Fri) by Np237 (guest, #69585) [Link]

In the end, the reason for not including hot-babe is that it was extremely buggy, to the point of uselessness.

I find it a bit hasty to compare it to the SQLNinja case.

A "clarification" from Fedora on the SQLNinja decision

Posted Nov 18, 2010 10:59 UTC (Thu) by jwakely (subscriber, #60262) [Link]

Oh noes, you have to use an alternative repo - the horror!
Why do you hate our way of life, Fedora?

This whole story's a joke. Distro doesn't include package noone's ever heard of. So what?

Why Debian?

Posted Nov 18, 2010 15:08 UTC (Thu) by pr1268 (guest, #24648) [Link]

Why Debian? Does Debian include SQLNinja? Oh wait, it does not (although two other "Ninja" packages are included).

I hope this doesn't turn into another distro flame war. I'm ambivalent towards Fedora's decision not to include SQLNinja, but from their better-safe-than-sorry legal approach, I kind of understand why.

A "clarification" from Fedora on the SQLNinja decision

Posted Nov 21, 2010 21:09 UTC (Sun) by drago01 (subscriber, #50715) [Link] (1 responses)

* Does the application have the potential to increase our legal
liability in a significant way?

IANAL but I doubt that, even the legal people aren't really sure.

* Does the application have significant legitimate uses outside of
attacking a system?

It clearly does.

* How does the application market itself? As a security tool? As an
easy way to exploit others?

How on earth does it matter? Would the board accept the software if one forked it and advertised it differently even if the code is 1:1 the same?

* How difficult would it be for knowledgeable security professional to
build, versus an unskilled script-kiddie?

Making live harder for people because others can misuse it is the wrong way to solve problems.

* Is this an application that could be easily hosted in a third-party
repository instead of Fedora?

Any application can ... this question does not make any sense either.

So in the end I still think that this is the most idiotic decision the board ever made, and justifications like that do not make it any better.

A "clarification" from Fedora on the SQLNinja decision

Posted Nov 24, 2010 12:21 UTC (Wed) by mpr22 (subscriber, #60784) [Link]

Much though the whole topic of public relations gives many people in FOSS an "om vom vom" reaction, only the outright idiots among those people try to pretend that PR doesn't matter to FOSS projects. The author of SQLNinja markets it as an attack tool; putting something marketed by its own author as an attack tool into Fedora would be handing ammunition to the anti-FOSS shills. "Linux distribution endorses computer crime!"

Oh, and "even the legal people aren't really sure" sounds to me like good grounds for the Fedora board to be leery of putting it into Fedora.