[GPC] [RFC] Note for Leaders: Project Health Benefits - Using the"OWASP" Name

Jason Li jason.li at owasp.org
Wed May 20 14:57:46 EDT 2009

I agree that we should always be appreciative of contributions. But I
think you're overestimating the number of current "beta" projects that
are in a useable state :-)

Just as an illustration, I've been slowly wading through self update
results and there's a strong bi-modal distribution in the self ratings
for usability... almost all the projects rate themselves as either 1-2
or 7-9.  Very little distribution in the middle. So there's a cluster
of projects that are definitely usable and a cluster of projects that
are unusable.

The thing is, I think if we got down to it, the projects that rate
their usability  7+ are probably not going to be the projects that are
going to object to falling into line with the proposed changes we're
making. It's those that are in the 1-2 range that I think are going to
be the most noisy - and it's projects like that which detract from the
OWASP name while at the same time contributing very little to the

I do agree though that we want to make things as simple as possible. I
think this is more a presentation issue than a rules issue because at
a high level, the project health concept and structure are fairly
simple. We do need to have thought about specifics and exceptions in
rules, but we don't necessarily need to have them up at the forefront.


On Wed, May 20, 2009 at 2:01 PM, Boberski, Michael [USA]
<boberski_michael at bah.com> wrote:
> I would offer that one potential step would be to get that new project
> criteria down to 1 page. Make sure it has pictures, is laser-clear, and
> to the point. Consider that every possible contigency and circumstance
> does not need to be guarded against for OWASP, this isn't the space
> shuttle program. Consider sticking with the known alpha/beta/release
> names, it's going to confuse the issue with already-published
> docs/tools, this wasn't really broken. I am empathetic to people who
> "only" get their projects to beta for instance and who get
> stalled/swamped doing other things. The thing is still usable!!! We're
> grateful they did what they did!! If they don't want to lead it or work
> on it further, arrange for a gracious and amicable handoff, hoping that
> they'll come back or start work on another OWASP project. Sorry to be
> grumpy. Intended to be constructive.
> Mike B.
> -----Original Message-----
> From: global-projects-committee-bounces at lists.owasp.org
> [mailto:global-projects-committee-bounces at lists.owasp.org] On Behalf Of
> Jason Li
> Sent: Wednesday, May 20, 2009 1:46 PM
> To: Global Projects Committee
> Subject: [GPC] [RFC] Note for Leaders: Project Health Benefits - Using
> the"OWASP" Name
> Hey guys,
> Here's an email that I drafted that I'd like to send to the leaders
> list. Thoughts?
> --
> -Jason Li-
> -jason.li at owasp.org-
> Leaders,
> The last couple of weeks, the GPC has gotten several angry emails from
> various project owners in response to some of the initiatives that the
> GPC is undertaking.
> As you are hopefully aware, the GPC is trying to increase the quality of
> all OWASP projects by establishing a level of consistency and
> organization across our projects.
> What I'm gathering from this trend of pushback though is that while
> people generally agree with the direction we are trying to go in raising
> the quality of OWASP projects, there are people who don't want to be
> subject to any "bureaucratic" rules. In a sense, there's kind of a "not
> in my backyard" mentality: everyone agrees that the quality of OWASP
> projects needs to be improved but when it comes to their specific
> project, the rules need not apply because they are going to release
> something "soon", or they are a long time OWASP contributor, etc.
> As such, I think we're going to be facing a crossroads - people still
> want to contribute, but there will be a subset of those people who don't
> want to do what is necessary to be consistent with a high quality OWASP
> project.
> Right now, we don't really have any carrot/stick to encourage project
> owners in the direction towards quality. The GPC is working on a
> proposal to encapsulate project health, which establishes three "levels"
> of quality for projects (see
> https://www.owasp.org/index.php/Assessing_Project_Health). We expect
> most projects to reach Level 2 status with a small set of projects
> reaching Level 3 status.
> The motivation for project owners to move from Level 2 to Level 3 is
> that we intend to prominently highlight projects that reach Level 3 on
> the OWASP site. But right now, we have no motivation for project leaders
> to proceed to Level 2.
> As I was going through the project surveys, it occurred to me that an
> overwhelming number of projects call themselves the "OWASP XYZ". I'd
> like to propose that a project can't include the OWASP "name" until they
> reach a certain quality level.
> The OWASP "name" is something that belongs to the OWASP Foundation so it
> is something that we (as the community) can legitimately "control".
> It's also something important that was should protect because any
> project bearing the OWASP name reflects the OWASP brand and if the
> quality is not up to par, then it damages the perception of OWASP for
> all projects.
> _______________________________________________
> Global-projects-committee mailing list
> Global-projects-committee at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/global-projects-committee

More information about the Global-projects-committee mailing list