Fedora Project Drops SQLNinja 'Hacker' Tool 159
simonb writes, "In what can only be described as a fit of insanity, the Fedora Board have declared a 'hacker tool' not fit for entry into their software repositories. Today your SQL injection tools, tomorrow your nmap?" The Register links the Fedora board's meeting minutes. From the story: "The move came on Monday in a unanimous vote by the Fedora Project's board of directors rejecting a request that SQLNinja be added to the archive of open-source applications. It came even as a long list of other hacker tools are included in the bundle and was harshly criticized by some security watchers. 'It seems incredibly short sighted to reject software based on perceived legal usage,' said Jacob Appelbaum, a full-time programmer for the Tor Project. 'They have decided to become judges of likely usage based on their own experience. That is a path of madness.' ... [T]he board unanimously decided to add a new statement to Fedora's legal guidelines concerning the inclusion of hacking tools. ... Smith said the language is intended to clarify its stance on a class of software that can be used both to secure and penetrate protected networks."
That's Interesting (Score:1, Interesting)
"Not Fit For Entry" vs. "Drops" (Score:5, Interesting)
Does a package have a right to be included in a distribution?
Is failing to include a package censorship?
Hardly. These are the decisions that distribution maintainers face every day. You can't include everything, so there doesn't really need to be much of a reason to not include any particular program.
Re:As the old linux community saying goes... (Score:5, Interesting)
The flip side of the coin though is that nmap, wireshark, and tcpdump all have uses beyond pen-testing or hacking. nmap can be used to help diagnose routing issues (I've actually used it for that), as well as for veryifying your network map, and other similar uses.
Wireshark is similarly very useful for debugging. For example, it can quickly help you determine that your software is creating malformed packets, or determine exactly what order your packets are being sent, or exactly what they contain. tcpdump is similar.
Even password cracking tools like jack the ripper can be used for purposes other than hacking or pen-testing. One possible such use (despite being a bit questionable) is ensuring minimum password strength, by running it for a fixed amount of time, and rejecting any passwords it can crack in that timeframe.
The difference is that sqlninja really has no use beyond hacking or pen-testing. It does not even pretend it might have other uses.
That all said, I'm not saying that refusing to package it is the right course of action. Indeed that seems questionable at best. I'm merely pointing out how sqlninja is different from the other tools you mentioned.
Much ado about nothing? (Score:4, Interesting)
While I'll be the first to acknowledge that this is clearly a "CYA" move on Fedora's part, I don't see why it is such a big deal. Ubuntu/Debian don't appear to have this tool in their repositories, and I'm pretty sure SuSE doesn't either, so it's not like Fedora is bucking a consensus. If there's enough demand for it, RPM Fusion will probably pick it up.
Furthermore, if the person responsible for your network vulnerability testing doesn't have the basic skills to install it from the upstream sources, is this really the caliber of person you want to trust with your network security?
Re:As the old linux community saying goes... (Score:3, Interesting)
This software does not secure or test anything. [...]
There are a lot of other SQL injection tools out there but sqlninja, instead of extracting the data, focuses on getting an interactive shell on the remote DB server
Sounds pretty handy as a password recovery tool for database servers.