#fedora-board-meeting log

19:01:11 <jsmith> #startmeeting Fedora Board IRC Meeting (open office hours)
19:01:11 <zodbot> Meeting started Fri Nov 12 19:01:11 2010 UTC.  The chair is jsmith. Information about MeetBot at http://wiki.debian.org/MeetBot.
19:01:11 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
19:01:16 <jsmith> #meetingname Fedora Board
19:01:17 <zodbot> The meeting name has been set to 'fedora_board'
19:01:44 <jsmith> #topic Roll Call of Board Members
19:01:52 * mdomsch 
19:02:07 <jsmith> Looks like we have mdomsch, ctyler, jds2001, smooge, and myself so far
19:02:50 <jsmith> Just a reminder that we use the protocol listed at https://fedoraproject.org/wiki/Board_public_IRC_meetings to help keep the conversation clear and focused
19:02:54 <smooge> I am sort of here. dealing with som einfra structure issues
19:03:09 <jsmith> Thanks smooge
19:03:38 <jsmith> #topic Open questions and answers
19:05:24 <jsmith> OK, if you've got a question, type a question mark, and we'll call on you in turn
19:05:41 <jsmith> If you've got a comment on the existing question, type an exclamation mark
19:06:36 <jsmith> Any questions?
19:06:54 <aTypical> <crickets />
19:07:39 <jsmith> Welcome rdieter :-)
19:07:41 <rdieter> hola
19:08:10 <jsmith> rdieter: No questions so far -- nice and easy Friday I guess :-)
19:09:10 <rdieter> so, why do we hate ninja's so much? esp sqlninja's.  I thought ninja's are supposed to be cool.
19:09:13 <ricky> ?
19:09:24 <enth> good question.
19:09:37 <enth> Ninjas need software support too.
19:11:26 <enth> lots of people ask for help in #fedora-social, how on earth do they run into #fedora-social before they find #fedora
19:11:44 <jsmith> That's a good question... I'm not sure.
19:12:02 <rdieter> #fedora requires nick registration, does #fedora-social too?
19:12:09 <EvilBob> rdieter: no
19:12:16 <enth> figures
19:12:57 <rdieter> so, it's likely just a barrier of entry kind of thing
19:13:05 <rdieter> for better or worse
19:13:37 <jsmith> Probably so...
19:13:51 <nirik> enth: it's not really all that common in my experence... but sure it happens. People also ask for end user support in other #fedora-* channel.
19:14:00 <EvilBob> rdieter: It cuts down the part/join noise a lot
19:14:01 <jsmith> I guess we could investigate having Freenode push unregistered users to something like #fedora-unregistered
19:14:06 <jebba> ?
19:14:14 <jsmith> jebba: Go ahead
19:14:20 <EvilBob> jsmith: that is what we do now
19:14:28 <DiscordianUK> We  do from #fedora, jsmith
19:14:32 <jsmith> EvilBob: Ah... great minds think alike :-)
19:14:42 <lenovolkan> how can i register #fedora channel?
19:14:46 <jsmith> jebba: Did you have a question?
19:14:57 <jebba> since it's so quiet in here, i thought i'd just ask/mention:  I built a bunch of updated f13 RPMS for the secondary mips architecture (which is having a bit of  a comeback under yeeloong in china).
19:14:59 <EvilBob> jsmith: We also have a bot that gives very clear instructions
19:15:04 <EvilBob> lenovolkan: ^^
19:15:05 <jsmith> lenovolkan: http://www.wikihow.com/Register-a-User-Name-on-Freenode
19:15:19 <jebba> So I just uploaded them to my fedorapeople account. I had built them all under mock.
19:15:26 <smooge> cool jebba where can I get hardware :)
19:15:31 <EvilBob> It is also covered in the channel topic
19:15:32 <jsmith> jebba: That's wonderful!  Keep up the good work on secondary architectures!
19:15:37 <jebba> Now I am getting set up koji under mips for fedora 14.
19:15:38 <EvilBob> the bot sends "You are here in #fedora-unregistered because you are not identified with freenode. Please: a) register - http://freenode.net/faq.shtml#nicksetup (including email step) b) configure your client to identify - http://freenode.net/faq.shtml#identify and/or /msg nickserv identify then c) /join #fedora for support."
19:16:01 <jebba> the fedora-mips list and channel are pretty dead, and the guy that did the f13 initial port is mostly MIA.
19:16:08 <ricky> ?
19:16:25 <jebba> So, coming to my question, if I beat koji into submission and finally get it spitting out RPMS, where should I put them. ;)
19:16:42 <jebba> ?   (i realize this may not just be for the board, but well, it's quiet here and you probably know!)
19:16:56 <jsmith> jebba: Work with the infrastructure team and the release engineering team -- they'll find a good home for them
19:17:03 <jebba> smooge: you can get the hardware here: http://freedomincluded.com/
19:17:03 <jsmith> ricky: You're next :-)
19:17:12 <jebba> smooge: and http://tekmote.nl in europe
19:17:23 <jsmith> => ricky
19:17:26 <ricky> From the meeting notes, I got the impression that the rejection of sqlninja wasn't really an application of the new legal text, but more of a specific one-off decision - does the board really want to be in the position of making packaging individual decisions as opposed to just writing/applying the policies behind these decisions?
19:18:01 <smooge> jebba, work with dgilmore. He startedfooling around on mips before his vacation
19:18:17 <ricky> s/packaging individual/individual packaging/
19:18:21 <jsmith> ricky: In general, no.  When they need legal review, however, it's important for the Board to be able to evaluate them on their individual merits.
19:18:33 <jebba> smooge: ok thx.
19:18:55 <jsmith> ricky: In this case, the packager marked it as blocking on fedora-legal, as I understand it
19:19:01 <smooge> speaking of which the decision has made the Register and the H :)
19:20:13 <jsmith> I'll be honest -- one of the things I like about Fedora is that we're more than just a collection of packages
19:21:11 <enth> kind of a st!pit question but: are there wiki pages for a list of packages installed by default in every distro?
19:21:18 <ricky> Followup: What are current thoughts for other security packages that have similar offensive capabilities?  I'd like/hope to see this decision deferred until sqlninja is revisited as spot mentioned
19:21:38 <jsmith> enth: Not that I'm aware of
19:21:40 <ricky> enth: You can probably generate one from the comps files - people in #fedora-devel might know a little better
19:22:03 <ricky> (I also wouldn't have minded seeing the sqlninja decision deferred too, though)
19:22:22 <jsmith> ricky: Well, sqlninja hasn't even undergone a package review -- so I'm not sure what deferring the decision would do
19:23:00 <rdieter> ricky: as far as I'm aware, sqlninja is the only one that gets close to being unacceptable.  there are no intentions or plans to take this any further
19:23:10 <ricky> I assume it'd give spot a chance to talk with legal some more and get a little more data on what the legal risk to distributors is
19:23:12 <rdieter> esp for any content currently in fedora
19:23:24 <rdieter> ricky: +1, yeah
19:23:39 <jsmith> ricky: I think it's pretty safe to assume he'll be talking to them more :-)
19:23:50 <ricky> Can't resist :-) http://nmap.org/ncrack/
19:23:56 <ricky> The recent press has found some more as well
19:24:23 <ricky> Of course, their website is nicer, but I think the intended audience and purpose is the same
19:25:22 <smooge> yes there are quite a few that probably make sqlninja look like childs play. the issue comes down to how do they present themselves.
19:25:32 <jsmith> Again, it's a gray area between software that has redeeming qualities as a security tool and software that's simply a script-kiddie's tool
19:26:06 <rdieter> true, in fairness to sqlninja that I hadnt noticed prior, its site does include the text "It should be used by penetration testers to help and automate the process of taking over a DB Server when a SQL Injection vulnerability has been discovered."
19:26:28 <ricky> I'll also note that the sqlninja author is a security professional: http://uk.linkedin.com/in/icesurfer.  He might be offended by people calling sqlninja a script kiddy tool :-)
19:26:29 <jsmith> I've said this before, but I'll paste it again (since I have it handy): There are *several* questions that we must ask ourselves:
19:26:36 <jsmith> * Does the application have the potential to increase our legal
19:26:37 <jsmith> liability in a significant way?
19:26:37 <jsmith> * Does the application have significant legitimate uses outside of
19:26:37 <jsmith> attacking a system?
19:26:37 <jsmith> * How does the application market itself?  As a security tool?  As an
19:26:37 <jsmith> easy way to exploit others?
19:26:39 <jsmith> * How difficult would it be for knowledgeable security professional to
19:26:41 <jsmith> build, versus an unskilled script-kiddie?
19:26:43 <jsmith> * Is this an application that could be easily hosted in a third-party
19:26:47 <jsmith> repository instead of Fedora?
19:26:53 <mizmo> ricky, his email address is leet speak...
19:27:16 <mizmo> he goes by a pseudonym
19:27:30 <jsmith> In the case of sqlninja, I understand it's already in one of the more popular 3rd-party repos, so it's not hard for people to find
19:27:56 <mdomsch> we're approaching 10k packages in the repos.  I don't mind if one questionable package doesn't make that 10k+1
19:28:04 <ricky> That's a really harsh way to pass judgement on the author based on his userames :-(
19:28:22 <walters> one question i have is would we remove a package like this if it got in (i.e. it didn't happen to get flagged during review)
19:28:33 <DiscordianUK> mizmo : linkedin gives his name as Alberto Ravelli which given he was educated in Italy seems likely to be his real name
19:28:37 <jsmith> ricky: Did you see "is their email address leetspeak" in my list above?  I think mizmo was being funny :-)
19:28:39 <ricky> Personally, I think the only questions that matter are: 1) is there a legit use, 2) what is the legal risk to Fedora/Red Hat
19:28:58 <mizmo> DiscordianUK, his real name is 'icesurfer'?
19:29:14 <DiscordianUK> No but mine isn't DiscordianUK either
19:29:29 <mizmo> 'Alberto Ravelli' doesn't appear anywhere i can find on the website
19:29:43 <rdieter> ricky: or just mostly 2.
19:29:43 <DiscordianUK> on the linkedin page
19:30:01 <mizmo> how do you know the linked in is the same person?
19:30:10 <EvilBob> Just because my nick is EvilBob does not mean that anything I do is Evil, but that does not change unreasonable attitudes.
19:30:12 * rdieter thinks the authors name, handles, email addresses have no place in this discussion either
19:30:22 <jsmith> Ok, we're over our eight-minute limit for the sqlninja question -- move on, or extend?
19:30:26 <smooge> rdieter, I agree
19:30:27 * DiscordianUK points at ricky's earlier comment
19:30:31 <mizmo> it may well be him, but if he wants to come off as a security professional the sqlninja website does not show that at all
19:30:31 <mdomsch> it's not about the author
19:30:50 <ricky> Just saying that I don't think that easy for the board to just decide whether a tool is targetted at script kiddies or not
19:30:50 <smooge> making it about the author is not helping.
19:31:08 <EvilBob> mdomsch: Apparently it is to some
19:31:09 <jsmith> ricky: Who said it was easy?
19:31:12 <ricky> I could ask the author who his target audience is, and I'm pretty sure I'd get a different answer
19:31:31 <rdieter> ricky: the delicate point is that it no only identifies vulnerabilities, that it takes advantage of them.  imo
19:31:39 <ricky> As in - it's so hard that maybe that shouldn't be the way the decision is made :-)
19:31:39 <DiscordianUK> Yes
19:31:41 <mizmo> i'm sorry, i think it's a valid point that the author of the code referring to himself only in leet speak and obviously made-up handles gives a certain impression.
19:31:50 <ricky> There are legitimate programs used by security researchers that do this
19:31:53 <mizmo> im not in any way insinuating that's why the decision was made
19:31:54 <ricky> metasploit is a popular one, for example
19:32:14 <ricky> It's a framework for generating and running exploits
19:32:23 <EvilBob> Perhaps he uses a pseudonym because of his employment
19:32:28 <DiscordianUK> Most of the stuff on the backtrack isos falls in the same category
19:32:32 <rdieter> ricky: is that in fedora?  I can't find it
19:32:47 <ricky> I know of college classes that use metasploit - it'd be a shame if software like that was rejected too
19:32:56 <ricky> rdieter: It's not - it's a mess of bundled libs, unfortunately
19:33:05 <mizmo> ricky, how much of a hardship is it if you have to get it from a 3rd party repo?
19:33:06 <DiscordianUK> The linkedin page acknowledges he is the author of sqlninja and tells you he works for Cigal Inc in the UK
19:33:08 <rdieter> ricky: ok, we'll tackle that when the time comes
19:33:25 <ricky> It's not so about hardship in getting the program as much as it is about the precendent that the decision sets
19:33:27 <mizmo> DiscordianUK, i can create a linked in page and say i built the brooklyn bridge and work for nasa on it
19:33:39 <DiscordianUK> Well yes you could
19:33:59 <rdieter> I'm starting to think that the "it's easy to get elsewhere" criterion is a bit weak.  I'd rather not try to use that as a justification for anything
19:34:10 <mizmo> ricky, the precedent that legally risky packages are not worth having in the main repo?
19:34:14 <ricky> Which is why I don't think "ease of alternative ways of getting it" is a big consideration
19:34:45 <mizmo> ricky, it's kind of a hard decision, potentially get sued and be really easy to install, don't get potentially sued and be only slightly more difficult to install
19:34:47 <ricky> mizmo: The core issue is that we disagree on whether it's legally risky enough to warrant blocking it
19:34:57 <mizmo> is this risk high enough, is the application worth the risk identified
19:35:00 <ricky> Which is why I was happy to see spot mention revisiting once this after talking more with legal
19:35:11 <DiscordianUK> The situation with libdvdcss then?
19:35:14 <ricky> *Everything* has legal risk involved - the question is how much is worth it and how much isn't
19:35:20 * jsmith reminds people that we're *way* over the eight minute mark
19:35:33 <ricky> Sorry :-)
19:35:36 <mizmo> ricky, the website for the application unfortunately doesn't inspire confidence in the legal risk involved compared to other penetration testing tools' websites
19:35:46 <stahnma> ?
19:35:56 <jsmith> Moving on to stahnma's question
19:36:17 <jsmith> (please continue the sqlninja discussion on the advisory-board list)
19:36:47 <stahnma> Who from the Fedora board, or anybody in the Fedora community, is consulted about what packages make it into RHEL?  And if it's anybody, is there a process for it?
19:37:13 <jsmith> That's a good question, and one that I don't know the answer to
19:37:32 <jsmith> I have no idea how Red Hat decides which packages to put into RHEL
19:37:35 <mdomsch> stahnma: RHEL has its own feature process.  Red Hat partners and customers have influence into what package sets wind up in the product
19:37:56 <mdomsch> and they look first to what Fedora has done
19:38:11 <EvilBob> stahnma: Why should that be any of fedora's business?
19:38:13 <mdomsch> as an example, there is a Fedora bugzilla to track getting the CIM / WS-MAN stacks into Fedora
19:38:16 <mizmo> if something that hasn't been in RHEL is considered to be added to RHEL, and is in EPEL, i know Red Hat messages the EPEL maintainers to let them know
19:38:32 <mdomsch> there is a duplicate feature request for that same stack to be included in RHEL
19:38:38 <stahnma> The main reason I ask, is that as a large customer, I found the best way to get influence and understanding of RHEL was to work heavily in Fedora/EPEL. However, there are still (at least to me) obvious gaps in what package make it into RHEL and wondered if there some weird criteria for that
19:38:48 <stahnma> mizmo: that's not always the case
19:38:53 <mdomsch> once the dev was done in Fedora and proven worthy, it dropped into RHEL
19:39:12 <jsmith> stahnma: In that case, it might be better to ping Red Hat directly to request it in parallel to following it in Fedora
19:39:15 <mizmo> stahnma, it happens but i dont know if it happens all the time
19:39:30 <stahnma> I also wasn't sure if it was a great question here, but I figured i'd give it a try
19:39:31 <stahnma> :)
19:40:14 <stahnma> mizmo: it was better for el6, but we're still quite confused on the producitivty channels, optional channels, setting up the builders etc for EPEL
19:40:31 <stahnma> I mean it will work out, but basically we couldn't much for quite a while until we actually saw the GA
19:40:59 <stahnma> but, I'm not trying to complain, mostly to understand how it works
19:41:12 <stahnma> I can discuss with RH as a customer also
19:42:34 <jsmith> Next question?
19:48:05 <jsmith> Any other questions for today's meeting?
19:49:31 <smooge> not from me
19:51:52 <jsmith> I'll leave the meeting running for a few more minutes, and then if we don't have any more questions, I'll propose that we adjourn
19:58:31 <jsmith> OK... I move to close the meeting.
19:58:51 <jsmith> Thanks everyone for participating!
19:58:56 <jsmith> #endmeeting