[GPC] Your project - OWASP JBroFuzz - has been identified as INACTIVE - Action is required!
subere at uncon.org
Mon May 11 09:58:42 EDT 2009
Hi Jason, based on your response, let's get cracking I would say. I do
not have edit permissions on the spreadsheet, so answers below. Finally,
I have noticed that you are looking for a maintainer for WebScarab, if
you all see it fit, I would like to volunteer for that.
What is your name and email address?
Yiannis Pavlosoglou subere at uncon.org
Who are you?
What is the name of your project?
Project Home Page
owasp-jbrofuzz at lists.owasp.org
Is the project actively maintained?
Yes, much more than maintained; based on the roadmap there are key
features still pending to be added.
What is the latest version of your project?
1.3 is current, 1.4 due in late May.
When was this latest version released (if applicable)?
Sourceforge & Subversion Repository
Standard Sourceforge Release Quality Application. Available in compiled
form for Win32/64, MacOSX, *nix.
Spring of Code 2007.
Would you be interested in the OWASP Global Projects Committee
considering your project for an industry sponsorship?
Yes, it would definitely help implement faster some of the key features
towards automation and graphing, let alone finally put in writting as a
pdf a JBroFuzz Tutorial guide.
If not, what is the reason that you do not wish to be considered for
What is the current quality level of the project?
Do not get me started on this!
All reported unstable pieces have been removed from the source code;
there is no reported bit of functionality that does operate as expected.
The source code has even being scanned by Fortify with no high risk
confirmed issues being reported.
The old motto used to be: "if you can't fuzz with JBroFuzz, you probably
don't want to fuzz!". Shortcuts have been added (Ctrl + L), JBroFuzz has
its own file format that helps share vulnerabilities identified through
a single file, cross platform.
For the visibility that has been given to this project, in its 2 1/2
year timespan it has had more than 14000 downloads reported on
sourceforge statistics and is part of a number of security distros.
Well, it is only a HTTP/S fuzzer; no more, no less.
Jason Li wrote:
> It is not our intention to archive or retire active projects. Try to
> understand that we have over 100 projects at OWASP and we are trying
> to establish the status of all of our projects. As you can probably
> guess, many of these 100+ projects have been abandoned by their owner.
> It's not feasible for us to look through every single individual
> project and determine their status so we asked all project leaders to
> complete a self update questionnaire. (Note that this status update is
> separate from the reviewer process.)
> To your point - "Does anyone on this thread even know when the latest
> version got released?" - this is exactly the type of information we
> are trying to gather for our projects in the self update
> We started by emailing the list administrator for each project mailing
> list and by notifying the leaders list. We have sent out multiple
> requests over the last month and a half through these mediums in an
> attempt to contact project leaders. We have received responses from
> most of our projects and have narrowed the number of projects
> remaining. So now that the numbers are more manageable, we are
> starting to look into individual projects and trying to find the
> contact information..
> So please take a step back and relax - we are not going to deactivate
> projects that are active. If you have a chance, please fill out the
> update mentioned by Paulo below. This will help us get ahead of the
> curve in our agenda to improve overall OWASP project quality. If you
> take a look at our committee agenda, some of the tasks that you
> mention, such as creating consistent look and feel, standardized
> input/output for better inter-project usage, etc, are exactly the
> items we are already planning to accomplish. But the first step for us
> is to figure out what we already have in OWASP projects by doing an
> inventory of all projects.
> -Jason Li-
> -jason.li at owasp.org-
> On Sun, May 10, 2009 at 7:34 PM, Subere <subere at uncon.org> wrote:
>> Very interesting email Paulo, all, my answers are inline:
>> Paulo Coimbra wrote:
>> Hello Yiannis Pavlosoglou,
>> Hope you are well.
>> As you may know, the OWASP Global Projects Committee is undertaking the task
>> of improving the OWASP Project structure -
>> https://www.owasp.org/index.php/GPC_Project_Surveys_2009 - which includes
>> identifying orphaned projects.
>> No I did not know about this task, even though I knew about the global
>> projects committee. The signal to noise ratio in recent time on the leaders
>> mailing list has just been way too low to keep an eye of new initiatives.
>> Initially, it was the requirements for achieving alpha, beta and release
>> quality status; chased those and still got nowhere in terms of recognition
>> for the project, internally that is within OWASP. Still the sourceforge
>> download statistics seemed to be going up -
>> In fact I believe I am still waiting for reviewers to be assigned to it? Now
>> I am finding out that you regard JBroFuzz an orphaned project?
>> Still, I have argued for having a communication channel in place and finally
>> it seems to be here. I believe it is a very good initiative and something
>> that I had in the past actively pushed for, but not like this folks, come
>> After 3 years of constant updates on a small but stable fuzzer project,
>> understand my surprise in receiving an email (on a Saturday) with the words
>> "INACTIVE - Action required!" Does anyone on this thread even know when the
>> latest version got released?
>> In this context, the project owner(s) for each OWASP Project have been asked
>> several times to complete a self update on the status of their project
>> https://spreadsheets.google.com/ccc?key=pJzNU1yNJd7VBH1bS6rY0EQ&hl=en and,
>> as far as I can see, you haven’t answered yet.
>> If the non completion of the above spreadsheet has triggered all this, I
>> - Where is the help requested in getting some icons for the project?
>> - Where is the review after managing to get the code scanned by Fortify
>> (last requirement for release quality)?
>> - Where was OWASP when I was giving bits of the code from JBroFuzz to help
>> improve other projects (e.g. DirBuster)?
>> - Where is the funding to buy a proper installer tool and not have to use
>> shareware installers to meet your requirements?
>> As the timeline of releases, improvements and version numbers illustrate,
>> this project does have some audience (just look at the distros that have it
>> e.g. BackTrack, Samurai). If you would like to pull the plug on it, fine, it
>> is a simple small fuzzer, nothing more, but do not do so on the excuse of
>> not filling in a spreadsheet!
>> Thus, please clarify:
>> 1. Are you currently leading the
>> https://www.owasp.org/index.php/Category:OWASP_JBroFuzz? If not, can you
>> provide the name of the new lead?
>> Yes. I am the project lead on this project; for the last time, due to
>> contractual obligations, I do not advertise my name on the project page and
>> use the alias subere instead.
>> 2. Do you or the new lead require assistance either with the technical
>> aspects of your project, or with leading it?
>> Yes and yes. Above is a flavour of issues; more importantly having
>> interacted with a few tool leaders now, we like to get things done. I want
>> to sit down with Rogan and discuss bits of WebScarab, who do I speak to
>> about that? I want to go and tell the people involved with Java projects
>> about a uniform Look & Feel, anyone?
>> On this, there is the coding side: Very little democracy in programming: Can
>> I have a medium to tell other project leaders that the UI hack to get it to
>> work in linux on line 66 of the source file is excellent, but actually is
>> from a book and shouldn't be GPLd? How about that their threading model is
>> upside down? Or, more importantly, can all client UI projects within the
>> next month adopt the following Help menu with set submenus?
>> The biggest mistake on my end I would say was not to attend the gathering in
>> Portugal and have apologised for that. Still, having channels of
>> communication open with key people in the organisation from a technical side
>> is something that would enable us to achieve more with less. That shouldn't
>> just be a single meeting. Now, the first time we went through this process,
>> very few things actually changed; ergo the reluctance to blindly follow.
>> Please note that the Global Projects Committee will determine very shortly
>> whether a project should be archived and retired or put up for adoption.
>> Adopt us all! Above a certain level it seems that we all need foster homes
>> under someone's wing to be allowed to operate within OWASP!
>> I thank you in advance.
>> Best regards,
>> Paulo Coimbra,
>> OWASP Project Manager
>> Block your agendas for May 11-14 and join us - OWASP AppSec Europe 2009
>> Global-projects-committee mailing list
>> Global-projects-committee at lists.owasp.org
More information about the Global-projects-committee