User: Password:
|
|
Subscribe / Log in / New account

Fedora rejects SQLninja

From:  Mairin Duffy <duffy-AT-fedoraproject.org>
To:  advisory-board-AT-lists.fedoraproject.org
Subject:  Fedora Board Recap 2010-11-08
Date:  Mon, 08 Nov 2010 16:25:32 -0500
Message-ID:  <1289251532.27252.10.camel@Brigid>
Archive-link:  Article

(These notes are available in wiki format at the following URL:
https://fedoraproject.org/wiki/Meeting:Board_meeting_2010...)

Below find the full minutes from today's Board meeting.

~m

= Board Meeting 2010 Nov 08 =

== Roll Call ==

=== Present ===
*Tom "spot" Callaway
*Rex Dieter
*Jared Smith
*Máirín Duffy
*Jon Stanley
*Matt Domsch
*Colin Walters
*Chris Tyler

=== Absent ===
''(None)''

=== Regrets ===
*Christopher Aillon
*Stephen Smoogen

== Agenda ==

'''Updates'''
* F14 shipped!  Hooray! Now let's get to work on F15

'''Board Business:'''
* [[#Community_Working_Group | #82: Draft a charter for a Community
Working Group]] ( https://fedorahosted.org/board/ticket/82 )
* [[#OpenRespect.org | http://openrespect.org -- Does the Fedora Board
agree with this statement?]] 
* [[#New_Legal_Guideline | #86: New Legal Guideline]]
( https://fedorahosted.org/board/ticket/86 ) 
* [[#Fedora_Elections_Process | Fedora Elections Process]]

== Community Working Group ==

=== Specifics about the group ===
* '''Wiki page:'''
https://fedoraproject.org/wiki/Fedora_Community_Working_G...
* Tasks for the group
** Will need to come up with code-of-conduct
** Come up with proposal to enforce (if deemed needed)
* Group will have 5 members
* Time duration:
** Limited time span, like Board - 1 year lifetime.
** jds2001 talked to Jeff Mitchell in KDE group, said it is not a big
time sink.

=== Recruitment Process ===
* Karsten doesn't want to join, but wants to be an insider journalist
for the Open Source Way 
** That's fine by us, no opposition - notes need to be sensitive to
private meeting content, however.
* Everyone else contacted, one interested, rest not interested, or not
interested in being a direct member of the group.

=== Candidate Decision ===
* How to select candidates? We talked about letting Rex select them or
having the Board vote, and decided to have a Board vote.
* '''Decision:''' We voted for 5 candidates + 1 alternate amongst the
nominations we received. These candidates will be contacted. In the case
where one of the candidates cannot serve, the alternate will be called
on. The candidates will be announced at some future point when they have
been confirmed.

== OpenRespect.org ==

=== Basic Information ===

* Joint statement between Linux distros about respecting each other &
communicating in a friendly/civil manner at http://openrespect.org
** Jono Bacon wrote it.
** Jono Bacon talked to Jared about this, and said he would draft a
statement and would involve Jared but ended up releasing via his blog
without collaborating before release and emailed Jared afterwards.

=== Board Discussion ===
* On first glance seems reasonable; what's the effect of having this out
there? So what? (ctyler)
* KDE community member Aaron Seigo weighs in and decides not to 'sign'
http://aseigo.blogspot.com/2010/11/commonality-and-commun...
** Makes the point that respect is earned. Be cordial & polite to folks
you don't know. There's a difference between being polite and respectful
(spot)
* Jono's Blog post on it:
http://www.jonobacon.org/2010/11/05/making-our-world-more... 
** Tends to be slanted towards not 'picking on' Canonical; the spin
makes me uncomfortable (spot)
** Fab's comment on Jono's blog post points out difference between
respecting people and respecting companies (mizmo)
* Can have difference of opinion and still be polite (but respect? not
necessarily) (jsmith & jds2001)
** At the EtherPad FAD, someone tried to 'teach' Spot about licensing...
Spot had to be polite & nice... but didn't feel he respected his point
of view. Made every effort to be polite & cordial. Was that respectful?
Maybe not, but 125% trying to be polite and not saying anything hurtful.
There is a difference... if you disagree with someone who has lots of
well-research reasons for a different standpoint, still can be
respected. (spot)
* Don't see inclusion of legitimate criticism... that would be another
concern about how this is shaped (ctyler)
* Engaging honest, open, and polite debate. Does debate count as
criticism or is it okay? (rdieter)
** Statement seems to be anti-critcism. Hard time accepting as-is in
that case rdieter)
* Think the statement should be about civility, not respect (mizmo)
(spot +1) 
* Not sure (a) why this is necessary (b) what do we get from being a
part of it? (mdomsch)
* All the communities in FLOSS struggling to deal with these issues,
maybe could be part of the discussion but not the endpoint (ctyler ?)
* Concern: What about new guys (or gals) without a track record? How can
they be counted too? (mdomsch)
** respect is an aspect of new folks coming in, but courtesy & patience
are probably more applicable. if you show a new person courtesy &
patience, they have a chance to tackle the problems & earn respect
(spot)
** 'respect' has a lot of different meanings... having respect for
someone is different than being disrespectful (spot)
*** openantidisrespect.org (rdieter)

=== Board Decision ===
* How do we move forward? Say we don't approve it? Make wording change
suggestions? Ignore what he's doing and do our own thing? (jsmith)
** '''Decision:''' Say we don't approve of the statement and would like
to be involved earlier on similar efforts? (Spot)
** '''Decision:''' Can we ask jono to go back to the problem statement
and solicit some brainstorm / ideas (from various FLOSS projects) on how
to solve the problem? (mizmo)
** '''Decision:''' Point out a focus on civility as opposed to respect.
(Rex, mizmo+1)
** '''Idea:''' Could be cool to have a portal that points to various
FLOSS projects' statements/policies/codes-of-conducts? <= at least then
the website would serve an actual purpose :-p (mizmo)

== New Legal Guideline ==


=== Basic Information ===
* SQLninja package review request submitted. All that it does is try to
exploit vulnerabilities in SQL queries to give you root access on remote
systems / root equivalent on Windows systems. (Package request:
https://bugzilla.redhat.com/show_bug.cgi?id=637402)
* Argument for SQLninja to be added to Fedora is that it is a
'penetration testing tool.'
* Where is the line between what we would take into Fedora b/c it is
free software vs. how hazardous it might be?
* We never had an explicit policy on this; wanted to wait until we
actually encountered it.
* RH Legal:
** Want us to add some text (text in ticket 86) - gives us another
loophole to add to the legal guidelines so we have the right to say the
app is too risky / too likely to be used for illegal/dangerous reasons.
So we can have some discretion over what is included. 
** We do bear some additional risk from carrying a tool like this -
hacker can claim he didn't know about the tool before we made it visible
to him. Not terribly likley but concerning.

=== Proposal ===
* Spot proposes we add the new legal text, and also would like us to
decide on what to do about SQLninja in particular.

=== Board Discussion ===
* Just bc you give someone a gun, it doesn't mean they aren't going to
shoot someone with it. (jds2001)
** This is advertised as 'get root on remote systems' - it doesn't
advertise itself as a security tool. (spot)
** Does it matter what they market themselves as? (colin)
** What about the Mozilla extension that creates webtraffic and logs you
into websites... might be instructive to know what Mozilla's guidelines
for extensions are. (colin)
*** Wasn't distributed by Mozilla, was distributed by developers 
* Does the benefit of this app outweigh the risk? (Spot)
** Talked to a couple of folks who work in security, and they said
having tools like this easily accessible is useful for them. However, is
that the primary use case in practice? (Spot)
* We package Jack the Ripper (mdomsch)
** Less concerning because it's not remote/aggressive exploit, need the
actual password file from the system. Valid case of oh I forgot the
password. (Spot)
** If legitimate use seems to be more common than not, seems okay to me
(Spot)
* What is the actual risk? (mdomsch)
** Really hard to say (spot)
* Some legal disclaimer for the software we provide? We can't review
everything? (Colin)
** Spot asked about disclaiming liability for what people do with the
software - Legal said we can do that but it doesn't really do us
anything.
** for it to be more meaningful, digital signature... CLA won't help
because you don't have to be a contributor to use it.
** Software creators already disclaiming liability through GPL
* Upstream claims SQLninja too complex to set up, so not useful for
script kiddies. Has wording like, 'Feel free to have fun with this tool,
but this might get you in trouble with a lot of law enforcement
agencies.' (Spot)
* Who gets the discretion? FESCo? Board? Fedora Legal?
** If a legal nature, should be Board (jsmith, Spot) text updated to
reflect this
* Unfair to submit expostfacto blockers to packages (jds2001)
** SQLninja hasn't actually been reviewed yet so it's not ex-postfacto
(spot)

=== The Statement to be added to our legal guidelines ===

"Where, objectively speaking, the package has essentially no useful
foreseeable purposes other than those that are highly likely to be
illegal or unlawful in one or more major jurisdictions in which Fedora
is distributed or used, such that distributors of Fedora will face
heightened legal risk if Fedora were to include the package, then the
Fedora Project Board has discretion to deny inclusion of the package for
that reason alone."

=== Votes ===

'''Should we add this text to the Legal guidelines?'''

* Add the language:++++++
* Don't add language:


'''Should we approve or deny the SQLninja request in particular?'''

* Yes, SQLninja is okay to add: 
* No, SQLninja shouldn't be added: +++++++

=== Board Decision ===

* We will add Spot's proposed langauge to the Fedora legal guidelines.
(unanimous)
* We won't allow the SQLninja package to be added to Fedora. (unanimous)

== Fedora Elections Process ==

* Nobody really stepped up to manage
** Chris Tyler has time to step in now
** Symptom of larger problem of heavily-involved folks getting burnt out
(mdomsch)
** New Fedora Program manager coming onboard soon, taking over John
Poelstra's job. Will be announced via Jared's blog soon. (jsmith)
** Suggestion: Add election coordination to Fedora Program manager job
description (spot)
* People didn't know where to submit their answers to the questionnaire
- ongoing confusion on the list today

== Next Meeting ==
Friday, November 12th (IRC office hours)
Monday, November 15th (Secretary: Smoogen)


[[Category:Board_meetings]]



_______________________________________________
advisory-board mailing list
advisory-board@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/advisory...

(Log in to post comments)

Fedora rejects SQLninja

Posted Nov 10, 2010 16:53 UTC (Wed) by pcampe (guest, #28223) [Link]

I have no opinion on SQLninja, but according to this new rule, Tor must be removed as it helps circumventing censorship systems in major markets...ehm countries like China.

Fedora rejects SQLninja

Posted Nov 10, 2010 16:57 UTC (Wed) by nteon (subscriber, #53899) [Link]

the language is "has discretion to deny inclusion of the package for
that reason alone", not "must deny inclusion".

Fedora rejects SQLninja

Posted Nov 10, 2010 17:04 UTC (Wed) by dmarti (subscriber, #11625) [Link]

It would be reassuring to see a human rights exception here. Don't know how it would be worded, though.

Fedora rejects SQLninja

Posted Nov 10, 2010 22:57 UTC (Wed) by steelhoof (guest, #71163) [Link]

the concept behind tor is hugely about sidestepping restrictions and maintaining anonymous connections. Why else would one want tor if not to conceal identity and or restrictions.

Fedora rejects SQLninja

Posted Nov 10, 2010 23:10 UTC (Wed) by steelhoof (guest, #71163) [Link]

On that previous comment, what other reason would one want the capabilities of SQLninja if not to practice the craft of stealthily injecting and cracking? This qualifies as a kiddie tool for the unskilled to wreak havoc.

Best for the tool to not be in the repository.

Fedora rejects SQLninja

Posted Nov 11, 2010 9:06 UTC (Thu) by pcampe (guest, #28223) [Link]

I don't care about SQLninja, really. I care about the policy.

Fedora rejects SQLninja

Posted Nov 11, 2010 17:17 UTC (Thu) by Cato (subscriber, #7643) [Link]

There's a valid use of this and other penetration testing tools where you own the web app installation, or have been contracted by the owner to test security.

However, I can understand why Fedora doesn't want to distribute such tools - many people would use them for illegal purposes, and such tools are more clearly aimed at site hacking/cracking than more generic tools such as Perl (very popular as an exploit tool thanks to libwww-perl, but mostly used for non-exploit purposes.)

Fedora rejects SQLninja

Posted Nov 12, 2010 2:38 UTC (Fri) by gerdesj (subscriber, #5446) [Link]

Get a grip.

This is a penetration tool. Either you use it for "good" or "bad". In the end it is still a tool.

It is a piece of software, not something that can hurt you physically - it enables an admin to test their system from the outside for flaws. Yes - it also allows someone else to do the same.

Is that bad?

If I really wanted to test the physical properties of my body, I might start with a really long run, OK a really short run. Err, maybe I'll just wheeze a bit. But I reserve the right to test those limits in any way I choose.

I refuse to allow noddys like you to lose perspective - SQLninja is just a program which is designed to show design flaws in another program.

Use whatever pejorative language you like but its just a piece of auditing software in the end.

Cheers
Jon

Fedora rejects SQLninja

Posted Nov 10, 2010 17:14 UTC (Wed) by peter_lemenkov (subscriber, #71124) [Link]

Nmap and nc are in danger.

"Mr. police officer, I didn't know anything about these scary tools until Evil Fedora People showed me them"

Fedora rejects SQLninja

Posted Nov 10, 2010 18:02 UTC (Wed) by fandingo (subscriber, #67019) [Link]

That's not a reasonable comparison. Nmap and nc can't be used directly to hack into a box. Nmap and nc are tools, which need to be carefully configured to attack someone. Realistically nmap, at best, could be considered a reconnaissance tool. On the other hand, SQLninja is specifically designed to find and attack servers. Sure there are legitimate uses, but including (semi-)automated attack tools has ethical and, less likely, legal implications. We don't really think that much about 'branding' with Linux Distros, but blog entries with titles like "How to hack SQL servers in Fedora X" can deeply undermine the credibility of a distro.

On sqlninja's web page, the only two demos both detail how to not only identify vulnerable servers, but to hack into them and gain shell/GUI access. I would argue that this isn't a "security" tool insofar as it is useful to use tools that attackers use. Instead, this is a hacking tool, and should not be included.

Fedora rejects SQLninja

Posted Nov 10, 2010 18:34 UTC (Wed) by ewan (subscriber, #5533) [Link]

Instead, this is a hacking tool, and should not be included.

The problem with that is that it's an ethical position, and people's ethics differ. Fedora is an explicitly pro-Free software organisation, so it makes sense to take a distribution wide view on that, but there's no such single view on other issues. This particular issue may seem like a relatively uncontentious one, but it's just as 'off topic' for Fedora as more obviously controversial ethical stances would be.

Fedora rejects SQLninja

Posted Nov 10, 2010 20:48 UTC (Wed) by ebiederm (subscriber, #35028) [Link]

Following your own personal ethics is always ethically sound.

Your objection to an ethical stance on ethical grounds is amusing.

Fedora rejects SQLninja

Posted Nov 10, 2010 22:07 UTC (Wed) by ewan (subscriber, #5533) [Link]

This isn't about personal ethics though, it's about a small group of people imposing their personal ethics on others who may or may not share them. It's one thing some Fedorans deciding that they personally don't want to use a particular tool, quite another to make it harder than necessary for others to use it.

Fedora rejects SQLninja

Posted Nov 11, 2010 11:26 UTC (Thu) by jwakely (guest, #60262) [Link]

make it harder than necessary? in what way? I didn't see any suggestion of preventing users installing it themselves. If you can't install it without the help of PackageKit then I'm fairly sure you don't need it.

Fedora rejects SQLninja

Posted Nov 11, 2010 13:32 UTC (Thu) by fandingo (subscriber, #67019) [Link]

Well, it actually goes further than that. SQLNinja was never considered for a default install. This change was to remove it from Fedora's repositories. Maybe RPMFusion or the like will offer it, but the project's site doesn't list repos, so you'd have to build from source. I don't think that's much of a problem, though. Users of something this powerful should at least be able to compile a program...

Fedora rejects SQLninja

Posted Nov 11, 2010 13:38 UTC (Thu) by rahulsundaram (subscriber, #21946) [Link]

"Well, it actually goes further than that. SQLNinja was never considered for a default install. This change was to remove it from Fedora's repositories. "

Actually, the review request filed was blocking on legal to approve it. So it was never in the Fedora repository at any point.

Fedora rejects SQLninja

Posted Nov 11, 2010 13:53 UTC (Thu) by ewan (subscriber, #5533) [Link]

I'm fairly sure I could build a working system from original source tarballs from around the web, but I'd still rather not. Your logic could happily eliminate most special purpose technical tools from a distribution on the basis that would-be users should be capable of getting them themselves. Like a poster above, I'm not too concerned about SQLninja specifically, but about the policy. We have been here before with bits of Free software that some people find 'unethical', and it still doesn't seem like a good basis for making technical decisions.

The problem with this specific decision is that the policy wording seeks to exclude things that have "no useful foreseeable purposes other than those that are highly likely to be illegal or unlawful" but SQLninja doesn't seem to meet that test - using it on your own systems, as has been mentioned several times in this thread alone, is both legal and foreseeable.

If Fedora is going to set up a policy that says one thing, then do something else because the software makes the board members feel icky, that seems like a bad thing.

Fedora rejects SQLninja

Posted Nov 11, 2010 17:21 UTC (Thu) by Cato (subscriber, #7643) [Link]

I think it's about probability of illegal use. Perl can be and is used to hack systems via libwww-perl exploit scripts (in fact some site owners block its user agent for this reason), but the percentage of illegal use of Perl is tiny. SQLninja and other pen testing tools are highly likely to be used illegally.

The solution is for someone to do a Fedora-based security oriented distro, like Backtrack, which is aimed at pen testing: http://www.backtrack-linux.org/

Fedora rejects SQLninja

Posted Nov 10, 2010 17:15 UTC (Wed) by ewan (subscriber, #5533) [Link]

Joint statement between Linux distros about respecting each other & communicating in a friendly/civil manner at http://openrespect.org
Jono Bacon wrote it.
Jono Bacon talked to Jared about this, and said he would draft a statement and would involve Jared but ended up releasing via his blog without collaborating before release and emailed Jared afterwards.

That is comedy gold.

Fedora rejects SQLninja

Posted Nov 10, 2010 17:40 UTC (Wed) by frnknstn (guest, #68647) [Link]

The text supplied is perfectly reasonable. If a tool's only forseeable purposes are illegal, then discretion is very much a virtue.

However, as reflected in these minutes, that case does not apply to SQLninja. Other uses that are clearly not illegal were discussed, so why are they rejecting this package?

Fedora rejects SQLninja

Posted Nov 10, 2010 18:00 UTC (Wed) by JoeBuck (guest, #2330) [Link]

No matter; those who have a use for it will get it from rpmfusion or some other third-party repository. I'm sure that Red Hat Legal had something to do with this; they may fear legal liability (and perhaps they are being overly cautious).

Fedora rejects SQLninja

Posted Nov 10, 2010 18:29 UTC (Wed) by gus3 (guest, #61103) [Link]

As indicated in the minutes, SQLninja is actively branded on its homepage as "a SQL Server injection *and takeover* tool".

If you need SQLninja to take over a system, odds are approaching 1 that you don't have access rights to it anyway.

Fedora rejects SQLninja

Posted Nov 10, 2010 21:40 UTC (Wed) by ballombe (subscriber, #9523) [Link]

You do not feel tempted to use it on you own servers to check whether they can be subverted?

Fedora rejects SQLninja

Posted Nov 11, 2010 7:40 UTC (Thu) by codefisher (guest, #64993) [Link]

About to download it now for that very purpose, see if I can break into my own server. If it turns out I can, I am going to be changing setting till it will no longer work.

Fedora rejects SQLninja

Posted Nov 11, 2010 9:15 UTC (Thu) by dlang (subscriber, #313) [Link]

this is exactly the wrong way to provide security. you are looking to fix the symptom instead of fixing the underlying problem.

once the tool no longer works, you may or may not have actually fixed the real problem, all that you know is that this particular tool no longer works.

if you have a problem with SQL injection, you don't need a 'takeover' tool to show you that, you just need a fuzzing tool and watch your database logs for strange errors.

if you do have a SQL injection vunerability, what you nee dto do is go back and look at your application design and howyou are doing input validation and how you are interacting with the database (sanitization of database query parameters, switching to prepared statements, etc) and fix the problem at a conceptual level, that way you not only defend against this particular tool, you also defend against the entire class of tools that send you bogus input in the hope that it breaks you.

If you have this in place and a fuzzing tool still shows problems, then you have a bug in your input validation code, which means it's time to go back and really review the code, not just twist knobs until you don't see the breakage anymore.

Fedora rejects SQLninja

Posted Nov 11, 2010 16:21 UTC (Thu) by gidoca (subscriber, #62438) [Link]

You are right /if/ you know that you have a SQL injection. However, if you're not sure, you might just introduce one and see if you can break in using sqlninja. After all, being able to get full access to a server by exploiting a SQL injection is pretty serious. If you can, IMHO you better do something about it, even if you don't currently vulnerable to SQL injections. Like, for instance, move away from MS SQL Server (which seems to be the only SQL server sqlninja supports).

Fedora rejects SQLninja

Posted Nov 11, 2010 16:23 UTC (Thu) by gidoca (subscriber, #62438) [Link]

I meant to say: "...even if your software isn't vulnerable to..."

Fedora rejects SQLninja

Posted Nov 12, 2010 19:22 UTC (Fri) by till (subscriber, #50712) [Link]

The takeover tool comes in handy to demonstrate developers how bad SQL injections can be. If they see how easy one can be used to gain full access on a system, they will more likely be more cautious in the future.

Fedora rejects SQLninja

Posted Nov 11, 2010 13:16 UTC (Thu) by Trou.fr (subscriber, #26289) [Link]

Believe it or not, some people out there get their systems audited, and pentesters actually do break into systems legally. Most penetration tools are actually written by people trying to do their job more efficiently.

Fedora rejects SQLninja

Posted Nov 10, 2010 18:31 UTC (Wed) by jspaleta (subscriber, #50639) [Link]

I expect there to be further discussion along these lines. When a tool can be used for both legal and illegal purposes, how do judge whether the technology is too risky to include?

A policy such as this needs to be balanced with some specific tests concerning likely or forseeable use to put some guidance in place for the packaging community and for future Boards members into the very subjective discretionary space this policy carves out.

This would be easier if the Fedora Board were a legally binding court of law in some jurisdiction. If they were the boards resulting policy statement would help clarify risks. But since they aren't this policy has to be viewed in the light of an ongoing risk-management conversation.

-jef

Fedora rejects SQLninja

Posted Nov 11, 2010 9:14 UTC (Thu) by pcampe (guest, #28223) [Link]

>I expect there to be further discussion along these lines. When a tool can
>be used for both legal and illegal purposes, how do judge whether the
>technology is too risky to include?

The point is the definition of "illegal", because circumventing the censorship in Iran or China is illegal, and China is a major country (note that the rule is about "major jurisdictions" and not democracies, quite a big difference in the context).

According to this rule, we could devise a "Fedora China", with tor and many other packages stripped off: which is disgusting, really.

Fedora rejects SQLninja

Posted Nov 11, 2010 13:40 UTC (Thu) by rahulsundaram (subscriber, #21946) [Link]

If you call it Fedora something, you need Fedora Board to approve it which wouldn't happen without strong reasons and sufficient justification.

Fedora rejects SQLninja

Posted Nov 11, 2010 14:07 UTC (Thu) by pcampe (guest, #28223) [Link]

When I fear of a "Fedora China", I fear of something made by the Fedora Board, to comply with some "major jurisdiction".

Fedora rejects SQLninja

Posted Nov 11, 2010 17:43 UTC (Thu) by rahulsundaram (subscriber, #21946) [Link]

It is never "some major jurisdiction". It is clearly defined. Fedora is sponsored by Red Hat and Red Hat is a U.S organization.

One less pen-testing tool

Posted Nov 11, 2010 6:19 UTC (Thu) by pabs (subscriber, #43278) [Link]

Dear security professionals,

Sorry, this is not the distribution for you. Go away. Evildoers!!!

Sincerely,
Fedora

Pretty sure this package would get into Debian if the software is good.

One less pen-testing tool

Posted Nov 11, 2010 6:37 UTC (Thu) by rahulsundaram (subscriber, #21946) [Link]

That's funny. Fedora is often the first to implement new security features and releases Fedora Security Lab as well

http://spins.fedoraproject.org/security/

One less pen-testing tool

Posted Nov 12, 2010 18:49 UTC (Fri) by till (subscriber, #50712) [Link]

The focus on security in Fedora might have been true some years ago, but recently it is moving to ignore security more and more. E.g. it is more often recommended to install unsigned Fedora Rawhide packages on productive systems or to use separate repositories with unsigned packages. Also with preupgrade an update method that does not verify the updated packages is promoted. And critical security updates are published with a big delay.

Now with banning security tools, the Fedora security lab does not sound that interesting anymore. If you read the feature list of sqlninja and know penetration testing, you will notice that they are the typical steps that are performed in a penetration test.

One less pen-testing tool

Posted Nov 12, 2010 21:45 UTC (Fri) by rahulsundaram (subscriber, #21946) [Link]

1) Officially, we have always insisted that Rawhide packages are not recommended for stable releases users and not a means to Get New Stuff. Nevertheless users tend to do that now and then and we have even taken steps to correct it including not shipping a rawhide repo file by default. It is part a social problem and not new at all.

2) Preupgrade - Yes, this is a potential problem and needs a fix. I would note that Richard Hughes is replacing Preupgrade with a distribution neutral tool built on top of PackageKit and would appreciate more help in getting it up and running.

3) Yes, thanks for bringing this up. We definitely need to fix this problem from the new update policy

4) Not "security tools". Just one tool that Fedora is concerned about, for the legal implications and I have been recommending a revaluation as well

Overall, I still think we are doing a better job than many other distributions (c.f. SELinux, compiler flags etc)

Fedora rejects SQLninja

Posted Nov 12, 2010 12:35 UTC (Fri) by MKesper (guest, #38539) [Link]

This is NUTS!
Next step will be shops stopping to sell kitchen knives because they are used so often for killing people.

Fedora rejects SQLninja

Posted Nov 12, 2010 13:55 UTC (Fri) by marcH (subscriber, #57642) [Link]

Fedora rejects SQLninja

Posted Nov 12, 2010 18:19 UTC (Fri) by drago01 (subscriber, #50715) [Link]

I missed the whole discussion regarding this but this decision is not only wrong but it sets a bad precedent. Banning software on the ground of being able to crack system and no it doesn't not matter whether it is advertised as such, as it can be used for other purposes like validating the security of systems.

This is by far the most idiotic decision the Fedora Board ever made. Not that I care about the particular tool here, but banning software only based on FUD (this is exactly what happened here) is wrong, wrong and in case you missed it WRONG!.

Fedora rejects SQLninja

Posted Nov 13, 2010 19:16 UTC (Sat) by ricky (subscriber, #45937) [Link]

There was some more discussion about this at the most recent public board meeting yesterday: http://meetbot.fedoraproject.org/fedora-board-meeting/201...

Also, it seems that the board will revisit this topic after the actual legal risk can be better understood: http://lists.fedoraproject.org/pipermail/advisory-board/2...

Fedora rejects SQLninja

Posted Nov 15, 2010 18:04 UTC (Mon) by duffy (guest, #31787) [Link]

@pabs

Is MSSQL commonly allowed on networks administered by security professionals?

Fedora rejects SQLninja

Posted Nov 15, 2010 18:27 UTC (Mon) by ricky (subscriber, #45937) [Link]

Maybe not, but I'm pretty sure it's commonly used on networks tested by security professionals, and it'd be awesome if they used Fedora to do it.

Fedora rejects SQLninja

Posted Nov 15, 2010 18:36 UTC (Mon) by dlang (subscriber, #313) [Link]

absolutly.

security professionals have less control over what gets run on the networks they are hired to administer than you seem to think.

In addition, MSSQL can be used with reasonable safety, it's all in how you have it setup and what you allow to connect to it.

Fedora rejects SQLninja

Posted Nov 15, 2010 23:42 UTC (Mon) by duffy (guest, #31787) [Link]

I didn't say that they had complete control; rather I wonder how commonly MSSQL is used in such an environment.

Fedora rejects SQLninja

Posted Nov 16, 2010 1:16 UTC (Tue) by dlang (subscriber, #313) [Link]

it's very common. there are a lot of applications that cannot talk to any other database. these may not be customer facing applications, they may be admin tools of various kinds, but the end result is that it's very common.


Copyright © 2010, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds