[GPC] [RFC] Note for Leaders: Project Health Benefits - Using the"OWASP" Name
Boberski, Michael [USA]
boberski_michael at bah.com
Wed May 20 15:04:10 EDT 2009
I'd offer developer self-ratings don't usually match up to user
I'm not sure that a good idea partially implemented/in a draft state
detracts. These types of ideas are not found most other places. Having
them findable in a central location like a project page helps other
people to find them and run with them.
I challenge the committee to get the rules down to 1 page!
From: li.jason.c at gmail.com [mailto:li.jason.c at gmail.com] On Behalf Of
Sent: Wednesday, May 20, 2009 2:58 PM
To: Boberski, Michael [USA]
Cc: Global Projects Committee
Subject: Re: [GPC] [RFC] Note for Leaders: Project Health Benefits -
Using the"OWASP" Name
I agree that we should always be appreciative of contributions. But I
think you're overestimating the number of current "beta" projects that
are in a useable state :-)
Just as an illustration, I've been slowly wading through self update
results and there's a strong bi-modal distribution in the self ratings
for usability... almost all the projects rate themselves as either 1-2
or 7-9. Very little distribution in the middle. So there's a cluster of
projects that are definitely usable and a cluster of projects that are
The thing is, I think if we got down to it, the projects that rate their
usability 7+ are probably not going to be the projects that are going
to object to falling into line with the proposed changes we're making.
It's those that are in the 1-2 range that I think are going to be the
most noisy - and it's projects like that which detract from the OWASP
name while at the same time contributing very little to the community.
I do agree though that we want to make things as simple as possible. I
think this is more a presentation issue than a rules issue because at a
high level, the project health concept and structure are fairly simple.
We do need to have thought about specifics and exceptions in rules, but
we don't necessarily need to have them up at the forefront.
On Wed, May 20, 2009 at 2:01 PM, Boberski, Michael [USA]
<boberski_michael at bah.com> wrote:
> I would offer that one potential step would be to get that new project
> criteria down to 1 page. Make sure it has pictures, is laser-clear,
> and to the point. Consider that every possible contigency and
> circumstance does not need to be guarded against for OWASP, this isn't
> the space shuttle program. Consider sticking with the known
> alpha/beta/release names, it's going to confuse the issue with
> already-published docs/tools, this wasn't really broken. I am
> empathetic to people who "only" get their projects to beta for
> instance and who get stalled/swamped doing other things. The thing is
> still usable!!! We're grateful they did what they did!! If they don't
> want to lead it or work on it further, arrange for a gracious and
> amicable handoff, hoping that they'll come back or start work on
> another OWASP project. Sorry to be grumpy. Intended to be
> Mike B.
> -----Original Message-----
> From: global-projects-committee-bounces at lists.owasp.org
> [mailto:global-projects-committee-bounces at lists.owasp.org] On Behalf
> Of Jason Li
> Sent: Wednesday, May 20, 2009 1:46 PM
> To: Global Projects Committee
> Subject: [GPC] [RFC] Note for Leaders: Project Health Benefits - Using
> the"OWASP" Name
> Hey guys,
> Here's an email that I drafted that I'd like to send to the leaders
> list. Thoughts?
> -Jason Li-
> -jason.li at owasp.org-
> The last couple of weeks, the GPC has gotten several angry emails from
> various project owners in response to some of the initiatives that the
> GPC is undertaking.
> As you are hopefully aware, the GPC is trying to increase the quality
> of all OWASP projects by establishing a level of consistency and
> organization across our projects.
> What I'm gathering from this trend of pushback though is that while
> people generally agree with the direction we are trying to go in
> raising the quality of OWASP projects, there are people who don't want
> to be subject to any "bureaucratic" rules. In a sense, there's kind of
> a "not in my backyard" mentality: everyone agrees that the quality of
> OWASP projects needs to be improved but when it comes to their
> specific project, the rules need not apply because they are going to
> release something "soon", or they are a long time OWASP contributor,
> As such, I think we're going to be facing a crossroads - people still
> want to contribute, but there will be a subset of those people who
> don't want to do what is necessary to be consistent with a high
> quality OWASP project.
> Right now, we don't really have any carrot/stick to encourage project
> owners in the direction towards quality. The GPC is working on a
> proposal to encapsulate project health, which establishes three
> of quality for projects (see
> https://www.owasp.org/index.php/Assessing_Project_Health). We expect
> most projects to reach Level 2 status with a small set of projects
> reaching Level 3 status.
> The motivation for project owners to move from Level 2 to Level 3 is
> that we intend to prominently highlight projects that reach Level 3 on
> the OWASP site. But right now, we have no motivation for project
> leaders to proceed to Level 2.
> As I was going through the project surveys, it occurred to me that an
> overwhelming number of projects call themselves the "OWASP XYZ". I'd
> like to propose that a project can't include the OWASP "name" until
> they reach a certain quality level.
> The OWASP "name" is something that belongs to the OWASP Foundation so
> it is something that we (as the community) can legitimately "control".
> It's also something important that was should protect because any
> project bearing the OWASP name reflects the OWASP brand and if the
> quality is not up to par, then it damages the perception of OWASP for
> all projects.
> Global-projects-committee mailing list
> Global-projects-committee at lists.owasp.org
More information about the Global-projects-committee