From Fedora Project Wiki

Board Meeting 2010 Nov 08

Roll Call

Present

  • Tom "spot" Callaway
  • Rex Dieter
  • Jared Smith
  • Máirín Duffy
  • Jon Stanley
  • Matt Domsch
  • Colin Walters
  • Chris Tyler

Absent

(None)

Regrets

  • Christopher Aillon
  • Stephen Smoogen

Agenda

Updates

  • F14 shipped! Hooray! Now let's get to work on F15

Board Business:

Community Working Group

Specifics about the group

  • Wiki page: Fedora_Community_Working_Group
  • Tasks for the group
    • Will need to come up with code-of-conduct
    • Come up with proposal to enforce (if deemed needed)
  • Group will have 5 members
  • Time duration:
    • Limited time span, like Board - 1 year lifetime.
    • jds2001 talked to Jeff Mitchell in KDE group, said it is not a big time sink.

Recruitment Process

  • Karsten doesn't want to join, but wants to be an insider journalist for the Open Source Way
    • That's fine by us, no opposition - notes need to be sensitive to private meeting content, however.
  • Everyone else contacted, one interested, rest not interested, or not interested in being a direct member of the group.

Candidate Decision

  • How to select candidates? We talked about letting Rex select them or having the Board vote, and decided to have a Board vote.
  • Decision: We voted for 5 candidates + 1 alternate amongst the nominations we received. These candidates will be contacted. In the case where one of the candidates cannot serve, the alternate will be called on. The candidates will be announced at some future point when they have been confirmed.

OpenRespect.org

Basic Information

  • Joint statement between Linux distros about respecting each other & communicating in a friendly/civil manner at http://openrespect.org
    • Jono Bacon wrote it.
    • Jono Bacon talked to Jared about this, and said he would draft a statement and would involve Jared but ended up releasing via his blog without collaborating before release and emailed Jared afterwards.

Board Discussion

  • On first glance seems reasonable; what's the effect of having this out there? So what? (ctyler)
  • KDE community member Aaron Seigo weighs in and decides not to 'sign' http://aseigo.blogspot.com/2010/11/commonality-and-community.html
    • Makes the point that respect is earned. Be cordial & polite to folks you don't know. There's a difference between being polite and respectful (spot)
  • Jono's Blog post on it: http://www.jonobacon.org/2010/11/05/making-our-world-more-respectful/
    • Tends to be slanted towards not 'picking on' Canonical; the spin makes me uncomfortable (spot)
    • Fab's comment on Jono's blog post points out difference between respecting people and respecting companies (mizmo)
  • Can have difference of opinion and still be polite (but respect? not necessarily) (jsmith & jds2001)
    • At the EtherPad FAD, someone tried to 'teach' Spot about licensing... Spot had to be polite & nice... but didn't feel he respected his point of view. Made every effort to be polite & cordial. Was that respectful? Maybe not, but 125% trying to be polite and not saying anything hurtful. There is a difference... if you disagree with someone who has lots of well-research reasons for a different standpoint, still can be respected. (spot)
  • Don't see inclusion of legitimate criticism... that would be another concern about how this is shaped (ctyler)
  • Engaging honest, open, and polite debate. Does debate count as criticism or is it okay? (rdieter)
    • Statement seems to be anti-critcism. Hard time accepting as-is in that case rdieter)
  • Think the statement should be about civility, not respect (mizmo) (spot +1)
  • Not sure (a) why this is necessary (b) what do we get from being a part of it? (mdomsch)
  • All the communities in FLOSS struggling to deal with these issues, maybe could be part of the discussion but not the endpoint (ctyler ?)
  • Concern: What about new guys (or gals) without a track record? How can they be counted too? (mdomsch)
    • respect is an aspect of new folks coming in, but courtesy & patience are probably more applicable. if you show a new person courtesy & patience, they have a chance to tackle the problems & earn respect (spot)
    • 'respect' has a lot of different meanings... having respect for someone is different than being disrespectful (spot)
      • openantidisrespect.org (rdieter)

Board Decision

  • How do we move forward? Say we don't approve it? Make wording change suggestions? Ignore what he's doing and do our own thing? (jsmith)
    • Decision: Say we don't approve of the statement and would like to be involved earlier on similar efforts? (Spot)
    • Decision: Can we ask jono to go back to the problem statement and solicit some brainstorm / ideas (from various FLOSS projects) on how to solve the problem? (mizmo)
    • Decision: Point out a focus on civility as opposed to respect. (Rex, mizmo+1)
    • Idea: Could be cool to have a portal that points to various FLOSS projects' statements/policies/codes-of-conducts? <= at least then the website would serve an actual purpose :-p (mizmo)

New Legal Guideline

Basic Information

  • SQLninja package review request submitted. All that it does is try to exploit vulnerabilities in SQL queries to give you root access on remote systems / root equivalent on Windows systems. (Package request: https://bugzilla.redhat.com/show_bug.cgi?id=637402)
  • Argument for SQLninja to be added to Fedora is that it is a 'penetration testing tool.'
  • Where is the line between what we would take into Fedora b/c it is free software vs. how hazardous it might be?
  • We never had an explicit policy on this; wanted to wait until we actually encountered it.
  • RH Legal:
    • Want us to add some text (text in ticket 86) - gives us another loophole to add to the legal guidelines so we have the right to say the app is too risky / too likely to be used for illegal/dangerous reasons. So we can have some discretion over what is included.
    • We do bear some additional risk from carrying a tool like this - hacker can claim he didn't know about the tool before we made it visible to him. Not terribly likley but concerning.

Proposal

  • Spot proposes we add the new legal text, and also would like us to decide on what to do about SQLninja in particular.

Board Discussion

  • Just bc you give someone a gun, it doesn't mean they aren't going to shoot someone with it. (jds2001)
    • This is advertised as 'get root on remote systems' - it doesn't advertise itself as a security tool. (spot)
    • Does it matter what they market themselves as? (colin)
    • What about the Mozilla extension that creates webtraffic and logs you into websites... might be instructive to know what Mozilla's guidelines for extensions are. (colin)
      • Wasn't distributed by Mozilla, was distributed by developers
  • Does the benefit of this app outweigh the risk? (Spot)
    • Talked to a couple of folks who work in security, and they said having tools like this easily accessible is useful for them. However, is that the primary use case in practice? (Spot)
  • We package Jack the Ripper (mdomsch)
    • Less concerning because it's not remote/aggressive exploit, need the actual password file from the system. Valid case of oh I forgot the password. (Spot)
    • If legitimate use seems to be more common than not, seems okay to me (Spot)
  • What is the actual risk? (mdomsch)
    • Really hard to say (spot)
  • Some legal disclaimer for the software we provide? We can't review everything? (Colin)
    • Spot asked about disclaiming liability for what people do with the software - Legal said we can do that but it doesn't really do us anything.
    • for it to be more meaningful, digital signature... CLA won't help because you don't have to be a contributor to use it.
    • Software creators already disclaiming liability through GPL
  • Upstream claims SQLninja too complex to set up, so not useful for script kiddies. Has wording like, 'Feel free to have fun with this tool, but this might get you in trouble with a lot of law enforcement agencies.' (Spot)
  • Who gets the discretion? FESCo? Board? Fedora Legal?
    • If a legal nature, should be Board (jsmith, Spot) text updated to reflect this
  • Unfair to submit expostfacto blockers to packages (jds2001)
    • SQLninja hasn't actually been reviewed yet so it's not ex-postfacto (spot)

The Statement to be added to our legal guidelines

"Where, objectively speaking, the package has essentially no useful foreseeable purposes other than those that are highly likely to be illegal or unlawful in one or more major jurisdictions in which Fedora is distributed or used, such that distributors of Fedora will face heightened legal risk if Fedora were to include the package, then the Fedora Project Board has discretion to deny inclusion of the package for that reason alone."

Votes

Should we add this text to the Legal guidelines?

  • Add the language:++++++
  • Don't add language:


Should we approve or deny the SQLninja request in particular?

  • Yes, SQLninja is okay to add:
  • No, SQLninja shouldn't be added: +++++++

Board Decision

  • We will add Spot's proposed langauge to the Fedora legal guidelines. (unanimous)
  • We won't allow the SQLninja package to be added to Fedora. (unanimous)

Fedora Elections Process

  • Nobody really stepped up to manage
    • Chris Tyler has time to step in now
    • Symptom of larger problem of heavily-involved folks getting burnt out (mdomsch)
    • New Fedora Program manager coming onboard soon, taking over John Poelstra's job. Will be announced via Jared's blog soon. (jsmith)
    • Suggestion: Add election coordination to Fedora Program manager job description (spot)
  • People didn't know where to submit their answers to the questionnaire - ongoing confusion on the list today

Next Meeting

Friday, November 12th (IRC office hours) Monday, November 15th (Secretary: Smoogen)