[GPC] [RFC] Note for Leaders: Project Health Benefits - Using the"OWASP" Name

Jason Li jason.li at owasp.org
Wed May 20 15:22:12 EDT 2009

1) I agree that self ratings usually don't match up... but I would say
that typically self ratings tend to be *higher* than reality, not
lower. In other words, I think there are probably several projects out
there that are over-stating their usability rather than understating

2) I agree that a good idea partially implemented doesn't necessarily
detract. But I think that's mostly true when it comes to documentation
efforts. A partially documented writeup about the latest XYZ
technology is still valuable even if it's not complete. However, tools
on the other hand are the opposite. I think that a good idea with
partially implemented tool that doesn't do anything *does* detract
from OWASP's credibility. If a user comes to an OWASP tool that has a
great idea, but the implementation is incomplete and mostly
non-functional, they will be left with the impression that OWASP
projects are all some incubation bed of incomplete ideas. The problem
is compounded if the project leader does not have the tool in an
organized state for someone else to take over as no one else can
really pick up the pieces and execute the project's road map.

3) As to the one page challenge, again, I think it's just a matter of
presentation and I don't anticipate having any problems creating a
short overview of the rating system once we get all the specifics
down. But I maintain that it is important to have thought about the
specifics first.


On Wed, May 20, 2009 at 3:04 PM, Boberski, Michael [USA]
<boberski_michael at bah.com> wrote:
> I'd offer developer self-ratings don't usually match up to user
> self-ratings.
> I'm not sure that a good idea partially implemented/in a draft state
> detracts. These types of ideas are not found most other places. Having
> them findable in a central location like a project page helps other
> people to find them and run with them.
> I challenge the committee to get the rules down to 1 page!
> Mike B.
> -----Original Message-----
> From: li.jason.c at gmail.com [mailto:li.jason.c at gmail.com] On Behalf Of
> Jason Li
> Sent: Wednesday, May 20, 2009 2:58 PM
> To: Boberski, Michael [USA]
> Cc: Global Projects Committee
> Subject: Re: [GPC] [RFC] Note for Leaders: Project Health Benefits -
> Using the"OWASP" Name
> I agree that we should always be appreciative of contributions. But I
> think you're overestimating the number of current "beta" projects that
> are in a useable state :-)
> Just as an illustration, I've been slowly wading through self update
> results and there's a strong bi-modal distribution in the self ratings
> for usability... almost all the projects rate themselves as either 1-2
> or 7-9.  Very little distribution in the middle. So there's a cluster of
> projects that are definitely usable and a cluster of projects that are
> unusable.
> The thing is, I think if we got down to it, the projects that rate their
> usability  7+ are probably not going to be the projects that are going
> to object to falling into line with the proposed changes we're making.
> It's those that are in the 1-2 range that I think are going to be the
> most noisy - and it's projects like that which detract from the OWASP
> name while at the same time contributing very little to the community.
> I do agree though that we want to make things as simple as possible. I
> think this is more a presentation issue than a rules issue because at a
> high level, the project health concept and structure are fairly simple.
> We do need to have thought about specifics and exceptions in rules, but
> we don't necessarily need to have them up at the forefront.
> -Jason
> On Wed, May 20, 2009 at 2:01 PM, Boberski, Michael [USA]
> <boberski_michael at bah.com> wrote:
>> I would offer that one potential step would be to get that new project
>> criteria down to 1 page. Make sure it has pictures, is laser-clear,
>> and to the point. Consider that every possible contigency and
>> circumstance does not need to be guarded against for OWASP, this isn't
>> the space shuttle program. Consider sticking with the known
>> alpha/beta/release names, it's going to confuse the issue with
>> already-published docs/tools, this wasn't really broken. I am
>> empathetic to people who "only" get their projects to beta for
>> instance and who get stalled/swamped doing other things. The thing is
>> still usable!!! We're grateful they did what they did!! If they don't
>> want to lead it or work on it further, arrange for a gracious and
>> amicable handoff, hoping that they'll come back or start work on
>> another OWASP project. Sorry to be grumpy. Intended to be
> constructive.
>> Mike B.
>> -----Original Message-----
>> From: global-projects-committee-bounces at lists.owasp.org
>> [mailto:global-projects-committee-bounces at lists.owasp.org] On Behalf
>> Of Jason Li
>> Sent: Wednesday, May 20, 2009 1:46 PM
>> To: Global Projects Committee
>> Subject: [GPC] [RFC] Note for Leaders: Project Health Benefits - Using
>> the"OWASP" Name
>> Hey guys,
>> Here's an email that I drafted that I'd like to send to the leaders
>> list. Thoughts?
>> --
>> -Jason Li-
>> -jason.li at owasp.org-
>> Leaders,
>> The last couple of weeks, the GPC has gotten several angry emails from
>> various project owners in response to some of the initiatives that the
>> GPC is undertaking.
>> As you are hopefully aware, the GPC is trying to increase the quality
>> of all OWASP projects by establishing a level of consistency and
>> organization across our projects.
>> What I'm gathering from this trend of pushback though is that while
>> people generally agree with the direction we are trying to go in
>> raising the quality of OWASP projects, there are people who don't want
>> to be subject to any "bureaucratic" rules. In a sense, there's kind of
>> a "not in my backyard" mentality: everyone agrees that the quality of
>> OWASP projects needs to be improved but when it comes to their
>> specific project, the rules need not apply because they are going to
>> release something "soon", or they are a long time OWASP contributor,
> etc.
>> As such, I think we're going to be facing a crossroads - people still
>> want to contribute, but there will be a subset of those people who
>> don't want to do what is necessary to be consistent with a high
>> quality OWASP project.
>> Right now, we don't really have any carrot/stick to encourage project
>> owners in the direction towards quality. The GPC is working on a
>> proposal to encapsulate project health, which establishes three
> "levels"
>> of quality for projects (see
>> https://www.owasp.org/index.php/Assessing_Project_Health). We expect
>> most projects to reach Level 2 status with a small set of projects
>> reaching Level 3 status.
>> The motivation for project owners to move from Level 2 to Level 3 is
>> that we intend to prominently highlight projects that reach Level 3 on
>> the OWASP site. But right now, we have no motivation for project
>> leaders to proceed to Level 2.
>> As I was going through the project surveys, it occurred to me that an
>> overwhelming number of projects call themselves the "OWASP XYZ". I'd
>> like to propose that a project can't include the OWASP "name" until
>> they reach a certain quality level.
>> The OWASP "name" is something that belongs to the OWASP Foundation so
>> it is something that we (as the community) can legitimately "control".
>> It's also something important that was should protect because any
>> project bearing the OWASP name reflects the OWASP brand and if the
>> quality is not up to par, then it damages the perception of OWASP for
>> all projects.
>> _______________________________________________
>> Global-projects-committee mailing list
>> Global-projects-committee at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/global-projects-committee

More information about the Global-projects-committee mailing list