19:01:11 #startmeeting Fedora Board IRC Meeting (open office hours) 19:01:11 Meeting started Fri Nov 12 19:01:11 2010 UTC. The chair is jsmith. Information about MeetBot at http://wiki.debian.org/MeetBot. 19:01:11 Useful Commands: #action #agreed #halp #info #idea #link #topic. 19:01:16 #meetingname Fedora Board 19:01:17 The meeting name has been set to 'fedora_board' 19:01:44 #topic Roll Call of Board Members 19:01:52 * mdomsch 19:02:07 Looks like we have mdomsch, ctyler, jds2001, smooge, and myself so far 19:02:50 Just a reminder that we use the protocol listed at https://fedoraproject.org/wiki/Board_public_IRC_meetings to help keep the conversation clear and focused 19:02:54 I am sort of here. dealing with som einfra structure issues 19:03:09 Thanks smooge 19:03:38 #topic Open questions and answers 19:05:24 OK, if you've got a question, type a question mark, and we'll call on you in turn 19:05:41 If you've got a comment on the existing question, type an exclamation mark 19:06:36 Any questions? 19:06:54 19:07:39 Welcome rdieter :-) 19:07:41 hola 19:08:10 rdieter: No questions so far -- nice and easy Friday I guess :-) 19:09:10 so, why do we hate ninja's so much? esp sqlninja's. I thought ninja's are supposed to be cool. 19:09:13 ? 19:09:24 good question. 19:09:37 Ninjas need software support too. 19:11:26 lots of people ask for help in #fedora-social, how on earth do they run into #fedora-social before they find #fedora 19:11:44 That's a good question... I'm not sure. 19:12:02 #fedora requires nick registration, does #fedora-social too? 19:12:09 rdieter: no 19:12:16 figures 19:12:57 so, it's likely just a barrier of entry kind of thing 19:13:05 for better or worse 19:13:37 Probably so... 19:13:51 enth: it's not really all that common in my experence... but sure it happens. People also ask for end user support in other #fedora-* channel. 19:14:00 rdieter: It cuts down the part/join noise a lot 19:14:01 I guess we could investigate having Freenode push unregistered users to something like #fedora-unregistered 19:14:06 ? 19:14:14 jebba: Go ahead 19:14:20 jsmith: that is what we do now 19:14:28 We do from #fedora, jsmith 19:14:32 EvilBob: Ah... great minds think alike :-) 19:14:42 how can i register #fedora channel? 19:14:46 jebba: Did you have a question? 19:14:57 since it's so quiet in here, i thought i'd just ask/mention: I built a bunch of updated f13 RPMS for the secondary mips architecture (which is having a bit of a comeback under yeeloong in china). 19:14:59 jsmith: We also have a bot that gives very clear instructions 19:15:04 lenovolkan: ^^ 19:15:05 lenovolkan: http://www.wikihow.com/Register-a-User-Name-on-Freenode 19:15:19 So I just uploaded them to my fedorapeople account. I had built them all under mock. 19:15:26 cool jebba where can I get hardware :) 19:15:31 It is also covered in the channel topic 19:15:32 jebba: That's wonderful! Keep up the good work on secondary architectures! 19:15:37 Now I am getting set up koji under mips for fedora 14. 19:15:38 the bot sends "You are here in #fedora-unregistered because you are not identified with freenode. Please: a) register - http://freenode.net/faq.shtml#nicksetup (including email step) b) configure your client to identify - http://freenode.net/faq.shtml#identify and/or /msg nickserv identify then c) /join #fedora for support." 19:16:01 the fedora-mips list and channel are pretty dead, and the guy that did the f13 initial port is mostly MIA. 19:16:08 ? 19:16:25 So, coming to my question, if I beat koji into submission and finally get it spitting out RPMS, where should I put them. ;) 19:16:42 ? (i realize this may not just be for the board, but well, it's quiet here and you probably know!) 19:16:56 jebba: Work with the infrastructure team and the release engineering team -- they'll find a good home for them 19:17:03 smooge: you can get the hardware here: http://freedomincluded.com/ 19:17:03 ricky: You're next :-) 19:17:12 smooge: and http://tekmote.nl in europe 19:17:23 => ricky 19:17:26 From the meeting notes, I got the impression that the rejection of sqlninja wasn't really an application of the new legal text, but more of a specific one-off decision - does the board really want to be in the position of making packaging individual decisions as opposed to just writing/applying the policies behind these decisions? 19:18:01 jebba, work with dgilmore. He startedfooling around on mips before his vacation 19:18:17 s/packaging individual/individual packaging/ 19:18:21 ricky: In general, no. When they need legal review, however, it's important for the Board to be able to evaluate them on their individual merits. 19:18:33 smooge: ok thx. 19:18:55 ricky: In this case, the packager marked it as blocking on fedora-legal, as I understand it 19:19:01 speaking of which the decision has made the Register and the H :) 19:20:13 I'll be honest -- one of the things I like about Fedora is that we're more than just a collection of packages 19:21:11 kind of a st!pit question but: are there wiki pages for a list of packages installed by default in every distro? 19:21:18 Followup: What are current thoughts for other security packages that have similar offensive capabilities? I'd like/hope to see this decision deferred until sqlninja is revisited as spot mentioned 19:21:38 enth: Not that I'm aware of 19:21:40 enth: You can probably generate one from the comps files - people in #fedora-devel might know a little better 19:22:03 (I also wouldn't have minded seeing the sqlninja decision deferred too, though) 19:22:22 ricky: Well, sqlninja hasn't even undergone a package review -- so I'm not sure what deferring the decision would do 19:23:00 ricky: as far as I'm aware, sqlninja is the only one that gets close to being unacceptable. there are no intentions or plans to take this any further 19:23:10 I assume it'd give spot a chance to talk with legal some more and get a little more data on what the legal risk to distributors is 19:23:12 esp for any content currently in fedora 19:23:24 ricky: +1, yeah 19:23:39 ricky: I think it's pretty safe to assume he'll be talking to them more :-) 19:23:50 Can't resist :-) http://nmap.org/ncrack/ 19:23:56 The recent press has found some more as well 19:24:23 Of course, their website is nicer, but I think the intended audience and purpose is the same 19:25:22 yes there are quite a few that probably make sqlninja look like childs play. the issue comes down to how do they present themselves. 19:25:32 Again, it's a gray area between software that has redeeming qualities as a security tool and software that's simply a script-kiddie's tool 19:26:06 true, in fairness to sqlninja that I hadnt noticed prior, its site does include the text "It should be used by penetration testers to help and automate the process of taking over a DB Server when a SQL Injection vulnerability has been discovered." 19:26:28 I'll also note that the sqlninja author is a security professional: http://uk.linkedin.com/in/icesurfer. He might be offended by people calling sqlninja a script kiddy tool :-) 19:26:29 I've said this before, but I'll paste it again (since I have it handy): There are *several* questions that we must ask ourselves: 19:26:36 * Does the application have the potential to increase our legal 19:26:37 liability in a significant way? 19:26:37 * Does the application have significant legitimate uses outside of 19:26:37 attacking a system? 19:26:37 * How does the application market itself? As a security tool? As an 19:26:37 easy way to exploit others? 19:26:39 * How difficult would it be for knowledgeable security professional to 19:26:41 build, versus an unskilled script-kiddie? 19:26:43 * Is this an application that could be easily hosted in a third-party 19:26:47 repository instead of Fedora? 19:26:53 ricky, his email address is leet speak... 19:27:16 he goes by a pseudonym 19:27:30 In the case of sqlninja, I understand it's already in one of the more popular 3rd-party repos, so it's not hard for people to find 19:27:56 we're approaching 10k packages in the repos. I don't mind if one questionable package doesn't make that 10k+1 19:28:04 That's a really harsh way to pass judgement on the author based on his userames :-( 19:28:22 one question i have is would we remove a package like this if it got in (i.e. it didn't happen to get flagged during review) 19:28:33 mizmo : linkedin gives his name as Alberto Ravelli which given he was educated in Italy seems likely to be his real name 19:28:37 ricky: Did you see "is their email address leetspeak" in my list above? I think mizmo was being funny :-) 19:28:39 Personally, I think the only questions that matter are: 1) is there a legit use, 2) what is the legal risk to Fedora/Red Hat 19:28:58 DiscordianUK, his real name is 'icesurfer'? 19:29:14 No but mine isn't DiscordianUK either 19:29:29 'Alberto Ravelli' doesn't appear anywhere i can find on the website 19:29:43 ricky: or just mostly 2. 19:29:43 on the linkedin page 19:30:01 how do you know the linked in is the same person? 19:30:10 Just because my nick is EvilBob does not mean that anything I do is Evil, but that does not change unreasonable attitudes. 19:30:12 * rdieter thinks the authors name, handles, email addresses have no place in this discussion either 19:30:22 Ok, we're over our eight-minute limit for the sqlninja question -- move on, or extend? 19:30:26 rdieter, I agree 19:30:27 * DiscordianUK points at ricky's earlier comment 19:30:31 it may well be him, but if he wants to come off as a security professional the sqlninja website does not show that at all 19:30:31 it's not about the author 19:30:50 Just saying that I don't think that easy for the board to just decide whether a tool is targetted at script kiddies or not 19:30:50 making it about the author is not helping. 19:31:08 mdomsch: Apparently it is to some 19:31:09 ricky: Who said it was easy? 19:31:12 I could ask the author who his target audience is, and I'm pretty sure I'd get a different answer 19:31:31 ricky: the delicate point is that it no only identifies vulnerabilities, that it takes advantage of them. imo 19:31:39 As in - it's so hard that maybe that shouldn't be the way the decision is made :-) 19:31:39 Yes 19:31:41 i'm sorry, i think it's a valid point that the author of the code referring to himself only in leet speak and obviously made-up handles gives a certain impression. 19:31:50 There are legitimate programs used by security researchers that do this 19:31:53 im not in any way insinuating that's why the decision was made 19:31:54 metasploit is a popular one, for example 19:32:14 It's a framework for generating and running exploits 19:32:23 Perhaps he uses a pseudonym because of his employment 19:32:28 Most of the stuff on the backtrack isos falls in the same category 19:32:32 ricky: is that in fedora? I can't find it 19:32:47 I know of college classes that use metasploit - it'd be a shame if software like that was rejected too 19:32:56 rdieter: It's not - it's a mess of bundled libs, unfortunately 19:33:05 ricky, how much of a hardship is it if you have to get it from a 3rd party repo? 19:33:06 The linkedin page acknowledges he is the author of sqlninja and tells you he works for Cigal Inc in the UK 19:33:08 ricky: ok, we'll tackle that when the time comes 19:33:25 It's not so about hardship in getting the program as much as it is about the precendent that the decision sets 19:33:27 DiscordianUK, i can create a linked in page and say i built the brooklyn bridge and work for nasa on it 19:33:39 Well yes you could 19:33:59 I'm starting to think that the "it's easy to get elsewhere" criterion is a bit weak. I'd rather not try to use that as a justification for anything 19:34:10 ricky, the precedent that legally risky packages are not worth having in the main repo? 19:34:14 Which is why I don't think "ease of alternative ways of getting it" is a big consideration 19:34:45 ricky, it's kind of a hard decision, potentially get sued and be really easy to install, don't get potentially sued and be only slightly more difficult to install 19:34:47 mizmo: The core issue is that we disagree on whether it's legally risky enough to warrant blocking it 19:34:57 is this risk high enough, is the application worth the risk identified 19:35:00 Which is why I was happy to see spot mention revisiting once this after talking more with legal 19:35:11 The situation with libdvdcss then? 19:35:14 *Everything* has legal risk involved - the question is how much is worth it and how much isn't 19:35:20 * jsmith reminds people that we're *way* over the eight minute mark 19:35:33 Sorry :-) 19:35:36 ricky, the website for the application unfortunately doesn't inspire confidence in the legal risk involved compared to other penetration testing tools' websites 19:35:46 ? 19:35:56 Moving on to stahnma's question 19:36:17 (please continue the sqlninja discussion on the advisory-board list) 19:36:47 Who from the Fedora board, or anybody in the Fedora community, is consulted about what packages make it into RHEL? And if it's anybody, is there a process for it? 19:37:13 That's a good question, and one that I don't know the answer to 19:37:32 I have no idea how Red Hat decides which packages to put into RHEL 19:37:35 stahnma: RHEL has its own feature process. Red Hat partners and customers have influence into what package sets wind up in the product 19:37:56 and they look first to what Fedora has done 19:38:11 stahnma: Why should that be any of fedora's business? 19:38:13 as an example, there is a Fedora bugzilla to track getting the CIM / WS-MAN stacks into Fedora 19:38:16 if something that hasn't been in RHEL is considered to be added to RHEL, and is in EPEL, i know Red Hat messages the EPEL maintainers to let them know 19:38:32 there is a duplicate feature request for that same stack to be included in RHEL 19:38:38 The main reason I ask, is that as a large customer, I found the best way to get influence and understanding of RHEL was to work heavily in Fedora/EPEL. However, there are still (at least to me) obvious gaps in what package make it into RHEL and wondered if there some weird criteria for that 19:38:48 mizmo: that's not always the case 19:38:53 once the dev was done in Fedora and proven worthy, it dropped into RHEL 19:39:12 stahnma: In that case, it might be better to ping Red Hat directly to request it in parallel to following it in Fedora 19:39:15 stahnma, it happens but i dont know if it happens all the time 19:39:30 I also wasn't sure if it was a great question here, but I figured i'd give it a try 19:39:31 :) 19:40:14 mizmo: it was better for el6, but we're still quite confused on the producitivty channels, optional channels, setting up the builders etc for EPEL 19:40:31 I mean it will work out, but basically we couldn't much for quite a while until we actually saw the GA 19:40:59 but, I'm not trying to complain, mostly to understand how it works 19:41:12 I can discuss with RH as a customer also 19:42:34 Next question? 19:48:05 Any other questions for today's meeting? 19:49:31 not from me 19:51:52 I'll leave the meeting running for a few more minutes, and then if we don't have any more questions, I'll propose that we adjourn 19:58:31 OK... I move to close the meeting. 19:58:51 Thanks everyone for participating! 19:58:56 #endmeeting