One less pen-testing tool

Posted Nov 12, 2010 18:49 UTC (Fri) by till (guest, #50712)
In reply to: One less pen-testing tool by rahulsundaram
Parent article: Fedora rejects SQLninja

The focus on security in Fedora might have been true some years ago, but recently it is moving to ignore security more and more. E.g. it is more often recommended to install unsigned Fedora Rawhide packages on productive systems or to use separate repositories with unsigned packages. Also with preupgrade an update method that does not verify the updated packages is promoted. And critical security updates are published with a big delay.

Now with banning security tools, the Fedora security lab does not sound that interesting anymore. If you read the feature list of sqlninja and know penetration testing, you will notice that they are the typical steps that are performed in a penetration test.

One less pen-testing tool

Posted Nov 12, 2010 21:45 UTC (Fri) by rahulsundaram (subscriber, #21946) [Link]

1) Officially, we have always insisted that Rawhide packages are not recommended for stable releases users and not a means to Get New Stuff. Nevertheless users tend to do that now and then and we have even taken steps to correct it including not shipping a rawhide repo file by default. It is part a social problem and not new at all.

2) Preupgrade - Yes, this is a potential problem and needs a fix. I would note that Richard Hughes is replacing Preupgrade with a distribution neutral tool built on top of PackageKit and would appreciate more help in getting it up and running.

3) Yes, thanks for bringing this up. We definitely need to fix this problem from the new update policy

4) Not "security tools". Just one tool that Fedora is concerned about, for the legal implications and I have been recommending a revaluation as well

Overall, I still think we are doing a better job than many other distributions (c.f. SELinux, compiler flags etc)