[Esapi-user] ESAPI development process

Jim Manico jim.manico at owasp.org
Wed Aug 25 15:18:19 EDT 2010

> 1. Is there any documentation on the ESAPI development process? A "how to
contribute/get involved" guide?

There are only 4 active committers right now. I manage the project over
email. We do not have project documentation around out process (Agile/Small
Team), but I do code review (as does Jeff) on all diff's.

2. From the Google Code people page, I see 18 people that have SVN
commit access. What controls are there to prevent
unreviewed/unapproved changes from being made?

See above. I also just pruned this list down to just the 4 active folks and
moved others to "contributor" status. I'll prune this list on a regular

3. How can I reproduce one of the release builds? It looks to me like
sometimes only a jar is released, sometimes there is also source but
without a build or project file to compile it with, but I do an SVN
checkout I get the source and build files. Unfortunately, it doesn't
look like SVN tags are being used and I didn't see an easy way to tie
a revision number to a release. I'd like to be able to make small
patches to the release we use in production until we can complete
testing of a newer version, but this is difficult without knowing how
to repeat the build process of a particular ESAPI release.

I do not use formal tagging, but I add a checkin note saying "Version X

I only release JAR's when I want the dev community to review. I now release
all *real* released as a complete zip. (This is why you see ESAPI 2.0 rc6 as
a zip, and ESAPI rc7 (early release) as a jar. ESAPI rc7 is not ready for
release, but will be in a few days. At that time I will deprecate the ESAPI
2.0 rc6 zip and the rc7 jar - and upload the rc7 zip. 

4. Is the 2.0-rcX series recommended for production? We'll only be
using the output encoding parts. It seems to have resolved the problem
we hit (multiple threads deadlocking in
HTMLEntityCodec.initializeMaps() resulting from multiple threads
inserting into a HashMap without synchronization).

For output encoding, yes. I fixed the thread-safely issue in ESAPI 2.0 rc7
jar - I'd love your help in backporting that to 1.4.

Most importantly, if you see anything lacking - then help us! Volunteer to
make ESAPI better! We are just a few developers working at night outside of
our full time job for free. All help, support, and/or funding/donations will
help make the project better.

- Jim

More information about the Esapi-user mailing list