[GPC] Your project - OWASP JBroFuzz - has been identified as INACTIVE - Action is required!

Jason Li jason.li at owasp.org
Mon May 11 15:00:23 EDT 2009


Subere,

Thanks for the survey replies. I'll add it to the appropriate sheet.

As for maintainer, yes, Rogan has indicated that he is looking for a
maintainer for WebScarab. After we launch the next season of code, the
GPC will start looking at how we are going to define the role of
"maintainer". There's a few issues to be worked out like
responsibilities, creative license, etc. But we're very happy to have
you volunteer for the maintainer role for WebScarab and we'll keep
that in mind once the time comes.
--
-Jason Li-
-jason.li at owasp.org-



On Mon, May 11, 2009 at 9:58 AM, Subere <subere at uncon.org> wrote:
> Hi Jason, based on your response, let's get cracking I would say. I do not
> have edit permissions on the spreadsheet, so answers below. Finally, I have
> noticed that you are looking for a maintainer for WebScarab, if you all see
> it fit, I would like to volunteer for that.
>
> Timestamp
>
> 16:25 11/05/2009
>
> What is your name and email address?
>
> Yiannis Pavlosoglou subere at uncon.org
>
> Who are you?
>
> Project Owner
>
> What is the name of your project?
>
> JBroFuzz
>
> Project Type
>
> Tool
>
> Project Home Page
>
> http://www.owasp.org/index.php/Category:OWASP_JBroFuzz
> http://sourceforge.net/projects/jbrofuzz
>
> Mailing List
>
> owasp-jbrofuzz at lists.owasp.org
>
> License
>
> GPL v3
>
> Related Projects
>
> WebScarab, DirBuster
>
> Is the project actively maintained?
>
> Yes, much more than maintained; based on the roadmap there are key features
> still pending to be added.
>
> What is the latest version of your project?
>
> 1.3 is current, 1.4 due in late May.
>
> When was this latest version released (if applicable)?
>
> March 2009.
>
> Availability
>
> Sourceforge & Subversion Repository
>
> Availability Link
>
> https://jbrofuzz.svn.sourceforge.net/svnroot/jbrofuzz
>
> Availability Explanation
>
> Standard Sourceforge Release Quality Application. Available in compiled form
> for Win32/64, MacOSX, *nix.
>
> Project Sponsors
>
> Spring of Code 2007.
>
> Would you be interested in the OWASP Global Projects Committee considering
> your project for an industry sponsorship?
>
> Yes, it would definitely help implement faster some of the key features
> towards automation and graphing, let alone finally put in writting as a pdf
> a JBroFuzz Tutorial guide.
>
> If not, what is the reason that you do not wish to be considered for
> industry partnership?
>
> n/a
>
> What is the current quality level of the project?
>
> Do not get me started on this!
>
> Quality Rating
>
> 10/10
>
> Quality Explanation
>
> All reported unstable pieces have been removed from the source code; there
> is no reported bit of functionality that does operate as expected. The
> source code has even being scanned by Fortify with no high risk confirmed
> issues being reported.
>
> Usability Rating
>
> 10/10
>
> Usability Explanation
>
> The old motto used to be: "if you can't fuzz with JBroFuzz, you probably
> don't want to fuzz!". Shortcuts have been added (Ctrl + L), JBroFuzz has its
> own file format that helps share vulnerabilities identified through a single
> file, cross platform.
>
> Usage Rating
>
> 10/10
>
> Usage Explanation
>
> For the visibility that has been given to this project, in its 2 1/2 year
> timespan it has had more than 14000 downloads reported on sourceforge
> statistics and is part of a number of security distros.
>
> Relevance Rating
>
> 10/10
>
> Relevance Explanation:
>
> Well, it is only a HTTP/S fuzzer; no more, no less.
>
> Jason Li wrote:
>>
>> Subere,
>>
>> It is not our intention to archive or retire active projects. Try to
>> understand that we have over 100 projects at OWASP and we are trying
>> to establish the status of all of our projects. As you can probably
>> guess, many of these 100+ projects have been abandoned by their owner.
>> It's not feasible for us to look through every single individual
>> project and determine their status so we asked all project leaders to
>> complete a self update questionnaire. (Note that this status update is
>> separate from the reviewer process.)
>>
>> To your point - "Does anyone on this thread even know when the latest
>> version got released?" - this is exactly the type of information we
>> are trying to gather for our projects in the self update
>> questionnaire.
>>
>> We started by emailing the list administrator for each project mailing
>> list and by notifying the leaders list. We have sent out multiple
>> requests over the last month and a half through these mediums in an
>> attempt to contact project leaders. We have received responses from
>> most of our projects and have narrowed the number of projects
>> remaining. So now that the numbers are more manageable, we are
>> starting to look into individual projects and trying to find the
>> contact information..
>>
>> So please take a step back and relax - we are not going to deactivate
>> projects that are active. If you have a chance, please fill out the
>> update mentioned by Paulo below. This will help us get ahead of the
>> curve in our agenda to improve overall OWASP project quality. If you
>> take a look at our committee agenda, some of the tasks that you
>> mention, such as creating consistent look and feel, standardized
>> input/output for better inter-project usage, etc, are exactly the
>> items we are already planning to accomplish. But the first step for us
>> is to figure out what we already have in OWASP projects by doing an
>> inventory of all projects.
>>
>> --
>> -Jason Li-
>> -jason.li at owasp.org-
>>
>>
>>
>> On Sun, May 10, 2009 at 7:34 PM, Subere <subere at uncon.org> wrote:
>>
>>>
>>> Very interesting email Paulo, all, my answers are inline:
>>>
>>> Paulo Coimbra wrote:
>>>
>>> Hello Yiannis Pavlosoglou,
>>>
>>>
>>>
>>> Hope you are well.
>>>
>>>
>>>
>>> As you may know, the OWASP Global Projects Committee is undertaking the
>>> task
>>> of improving the OWASP Project structure -
>>> https://www.owasp.org/index.php/GPC_Project_Surveys_2009 - which includes
>>> identifying orphaned projects.
>>>
>>> No I did not know about this task, even though I knew about the global
>>> projects committee. The signal to noise ratio in recent time on the
>>> leaders
>>> mailing list has just been way too low to keep an eye of new initiatives.
>>>
>>> Initially, it was the requirements for achieving alpha, beta and release
>>> quality status; chased those and still got nowhere in terms of
>>> recognition
>>> for the project, internally that is within OWASP. Still the sourceforge
>>> download statistics seemed to be going up -
>>>
>>> In fact I believe I am still waiting for reviewers to be assigned to it?
>>> Now
>>> I am finding out that you regard JBroFuzz an orphaned project?
>>>
>>> Still, I have argued for having a communication channel in place and
>>> finally
>>> it seems to be here. I believe it is a very good initiative and something
>>> that I had in the past actively pushed for, but not like this folks, come
>>> on:
>>>
>>> After 3 years of constant updates on a small but stable fuzzer project,
>>> understand my surprise in receiving an email (on a Saturday) with the
>>> words
>>> "INACTIVE - Action required!" Does anyone on this thread even know when
>>> the
>>> latest version got released?
>>>
>>>
>>>
>>> In this context, the project owner(s) for each OWASP Project have been
>>> asked
>>> several times to complete a self update on the status of their project
>>> https://spreadsheets.google.com/ccc?key=pJzNU1yNJd7VBH1bS6rY0EQ&hl=en
>>> and,
>>> as far as I can see, you haven’t answered yet.
>>>
>>> If the non completion of the above spreadsheet has triggered all this, I
>>> protest!
>>>
>>> - Where is the help requested in getting some icons for the project?
>>> - Where is the review after managing to get the code scanned by Fortify
>>> (last requirement for release quality)?
>>> - Where was OWASP when I was giving bits of the code from JBroFuzz to
>>> help
>>> improve other projects (e.g. DirBuster)?
>>> - Where is the funding to buy a proper installer tool and not have to use
>>> shareware installers to meet your requirements?
>>>
>>> As the timeline of releases, improvements and version numbers illustrate,
>>> this project does have some audience (just look at the distros that have
>>> it
>>> e.g. BackTrack, Samurai). If you would like to pull the plug on it, fine,
>>> it
>>> is a simple small fuzzer, nothing more, but do not do so on the excuse of
>>> not filling in a spreadsheet!
>>>
>>>
>>>
>>> Thus, please clarify:
>>>
>>>
>>>
>>> 1. Are you currently leading the
>>> https://www.owasp.org/index.php/Category:OWASP_JBroFuzz? If not, can you
>>> provide the name of the new lead?
>>>
>>> Yes. I am the project lead on this project; for the last time, due to
>>> contractual obligations, I do not advertise my name on the project page
>>> and
>>> use the alias subere instead.
>>>
>>>
>>>
>>> 2. Do you or the new lead require assistance either with the technical
>>> aspects of your project, or with leading it?
>>>
>>> Yes and yes. Above is a flavour of issues; more importantly having
>>> interacted with a few tool leaders now, we like to get things done. I
>>> want
>>> to sit down with Rogan and discuss bits of WebScarab, who do I speak to
>>> about that? I want to go and tell the people involved with Java projects
>>> about a uniform Look & Feel, anyone?
>>>
>>> On this, there is the coding side: Very little democracy in programming:
>>> Can
>>> I have a medium to tell other project leaders that the UI hack to get it
>>> to
>>> work in linux on line 66 of the source file is excellent, but actually is
>>> from a book and shouldn't be GPLd? How about that their threading model
>>> is
>>> upside down? Or, more importantly, can all client UI projects within the
>>> next month adopt the following Help menu with set submenus?
>>>
>>> The biggest mistake on my end I would say was not to attend the gathering
>>> in
>>> Portugal and have apologised for that. Still, having channels of
>>> communication open with key people in the organisation from a technical
>>> side
>>> is something that would enable us to achieve more with less. That
>>> shouldn't
>>> just be a single meeting. Now, the first time we went through this
>>> process,
>>> very few things actually changed; ergo the reluctance to blindly follow.
>>>
>>>
>>>
>>> Please note that the Global Projects Committee will determine very
>>> shortly
>>> whether a project should be archived and retired or put up for adoption.
>>>
>>> Adopt us all! Above a certain level it seems that we all need foster
>>> homes
>>> under someone's wing to be allowed to operate within OWASP!
>>>
>>>
>>>
>>> I thank you in advance.
>>>
>>>
>>>
>>> Best regards,
>>>
>>>
>>>
>>>
>>>
>>> Paulo Coimbra,
>>>
>>> OWASP Project Manager
>>>
>>>
>>>
>>> Block your agendas for May 11-14 and join us - OWASP AppSec Europe 2009
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Global-projects-committee mailing list
>>> Global-projects-committee at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/global-projects-committee
>>>
>>>
>>>
>
>


More information about the Global-projects-committee mailing list