[GPC] Update Needed

Jason Li jason.li at owasp.org
Sun Jul 11 22:22:57 EDT 2010


Christian,

You're taking a few of my points out of context. My email was NOT
meant in anyway to attack Google Hacking or in any way address the
drama that has emerged from it (warranted or not) and I'm sorry if
you're taking it that way. I sent the message to the GPC and the Board
specifically to address the shortcomings and failings of the GPC - not
for any other purpose.

I didn't mean to imply that you "abandoned" Google Hacking in that
fashion - that was simply poor word choice and placement on my part.
My point was merely that any project for which we don't have the
source always has the danger of dying with the actions of the project
leader. By having an official repository for OWASP projects, we can
ensure that the source is always accessible for anyone and everyone in
OWASP and elsewhere to use, contribute and reference regardless of the
state of the project or its leader.

I never said that you lied on the survey - far from it. All I'm saying
is that self-surveys can only go so far in evaluating a project. The
fact that several people have spoken out about the functionality of
the project just goes to show that what one person may see as useful
and functional, another person may see differently. That just supports
the fact that we can't rely on one evaluator.

As I said, the message was not about the Google Hacking project, but
about shortcomings of the GPC. The current situation with the Google
Hacking project happens to emphasize those shortcomings. If we had
achieved our goal of creating a repository, the Google Hacking project
code would have been in the repository and you would not have had to
endure antagonistic accusations that you had closed the source or that
it was simply vapor-ware - the source would be there on record in the
repository for anyone to reference. If we had made better progress on
performing project reviews, we may have been able to manage some of
the community's expectations for the project so that there wouldn't
have been the firestorm that has ensued.

Thank you for the suggestions and I wanted to address them below..
Just to note, I'm not intentionally refuting all of your suggestions.
I really do appreciate the ideas, but I hope you'll see that there is
rationale behind why I think they may not be practical or relevant.

> 1. Relocate the responsibility of selecting Project Reviewer who are not OWASP members from the board to the GPC.

I was not aware that there were any limitations on who could review a
project. We've undergone a lot of change and cycles over the
assessment process and there may have been some confusion at the time
between reviewers for a Season of Code, reviewers for OWASP projects,
and reviewing in general which are all substantially different in
requirements and justification. I can't speak to your specific
situation, but you mentioned in your grievances that Paulo was too
busy organizing the OWASP Summit in Portugal at the time to respond
adequately to your attempts to nominate reviewers. The GPC didn't even
exist prior to the OWASP Summit let alone the new review process or
the Assessment Criteria v2. Currently, we ask project leaders to
choose reviewers but by and large, project leaders have not been able
to find reviewers for their projects and instead ask the GPC/Board to
either supply one or act as one.

> 2. Create additional metadata which communicates that unique projects with a limited shelf life, such as the OWASP "Google Hacking" Project.

I don't think additional metadata is necessary. Ideally, this type of
information would be communicated in a project's roadmap. A project
that has limited shelf life would simply reach the end of their
roadmap and be considered "complete".

> 3. Each OWASP Project should be reviewed based on a schedule (i.e. not by signaling that it is ready for review) which could be timeslice across all other projects.

That may work for some projects, but not every project has regular
release cycles. Besides, as it is we're having a hard enough time as
it is getting through occasional project reviews without having to
have regular reviews occur every X months.

> 4. Reconsider Andrew van der Stock's proposal to become a full time employee

I can't really speak to that proposal - that's not a decision for the
GPC. But I imagine budgetary considerations would preclude OWASP from
pursuing it...

> 5. Remove members from the GPC would are also leaders of significant projects i.e. it should consist of a majority of dedicated reviewers only.

I humbly disagree. The role of all of the global committees is
supposed to further the development of OWASP. The Global Chapters
Committee helps make it easier to start and manage chapters, while
facilitating the healthy expansion of OWASP - so it only makes sense
to have people who have had success establishing a chapter serve on
the committee. The Global Conferences Committee helps make it easier
to start and manage conferences, while facilitating a healthy synergy
of events by managing the conference calendar - so it only makes sense
to have people who have had success running conferences. Likewise, the
role of the Global Projects Committee is to help make it easier to
start and manage projects, while facilitating the interest in OWASP
projects by the world at large. As a result, it should be made of
people that have been successfully involved in and contributing to
OWASP projects (some of you may note with keen irony that both Brad
and I, who serve as co-chairs of the GPC, are *not* leaders of
significant OWASP projects...).

There is one problem that I'll concede with leaning on OWASP members
for committees that are heavily involved in other OWASP efforts.
Contributions to those other efforts detracts from time available to
work with their committee. I'm sure all of the global committees has
experienced a drop in participation of one of their members near
important events (e.g. local conference they're organizing or release
for a project they lead). So there is some merit to making sure
committee members are not stretched too thin between their obligations
and that there are sufficient committee members to make up for such
periods.

But I don't think that the GPC should be made up only of dedicated
reviewers. Contrary to popular belief, the role of the GPC is not to
review projects, nitpick leaders, and be a general nuisance. The GPC
doesn't take on the role of reviewing because it wants to, it does so
because we simply have not had the outpouring of volunteers to review
projects en masse. Sure there are a couple of people who volunteer to
review specific projects on a one-time basis, but we don't have a
dedicated, WIkipedia-like legion of reviewers to constantly comb
through all of our projects.

And accomplishing this task of reviewing all the projects is what I
was seeking suggestions on.

-Jason

On Sun, Jul 11, 2010 at 7:45 PM, Christian Heinrich
<christian.heinrich at owasp.org> wrote:
> Jason,
>
>>> The next couple stages are the ones that would really make a
>>> difference in marketing OWASP projects. The first of these is to
>>> Provide a Repository. We did some preliminary reconnaissance to try
>>> and get a branded Google Code hosting solution, but we didn't get very
>>> far. I think this is a critical piece to provide some consistency for
>>> projects. It also provides us a safety net in cases where projects get
>>> abandoned. By having an official OWASP repository, we'll always have
>>> the code to a project even if a leader later decides to abandon it
>>> (e.g. Google Hacking). The next of these is to revamp the project
>>> website and migrate existing projects to the new site. That's a huge
>>> undertaking that I think is extremely important to OWASP - but I'm not
>>> even sure it's worth discussing until we get our ducks lined up in a
>>> row with our existing projects.
>
> I have *never* abandoned the OWASP "Google Hacking" Project.
>
> Coincidentally, the possible misinterpretation of "Inactive" was
> discussed at the Leaders/GPC Meeting during OWASP EU 2009.
>
> To quote the current metadata i.e. "GPC_Notes = This project has had
> its status changed (currently inactive) pending the outcome of an
> inquiry. <!--- This project cannot longer be maintained due to the
> closure of the Google SOAP Search API i.e.
> http://googlecode.blogspot.com/2009/08/well-earned-retirement-for-soap-search.html.--->"
>
> While Dinis thought that marking it as inactive might help the current
> situation to demonstrate that development had ceased due to Google
> deprecating their SOAP Search API to which I disagreed at HITB
> Amsterdam - consequently Joe Public has misinterpreted the reason as
> to why the project is inactive (i.e. which is within the HTML
> Comments) and that I am undergoing a disciplinary process for abusing
> the OWASP Brand, etc as I have been found guilty irrespective of the
> e-mails from Jeff and Dinis state.
>
>>> I'm open to suggestions on how we can either quickly assess projects
>>> in a meaningful way or bypass the problem entirely by creatively doing
>>> something else. I believe we had several discussions about putting the
>>> carrot in front of the cart. For example, we could simply create a new
>>> whiz bang website for OWASP and the "price of admission" to the
>>> "endorsed" part of the website was for a project leader to push his
>>> project through a mostly self-review process. But that has it's own
>>> issues as self-review is not always accurate (again, Google Hacking
>>> serves as a good example - Christian was fairly quick to fill out the
>>> OWASP Projects Survey) and so there's always going to be a need for
>>> external review. And that external review will be a bottleneck for
>>> anyone trying to push to the next tier.
>
> You can't state that I lied considering the survey, i.e
> https://spreadsheets.google.com/ccc?key=pJzNU1yNJd7VBH1bS6rY0EQ&hl=en#,
>  was a snapshot at a particular time (i.e March 2009) which didn't
> have any questions concerning what difficulties are faced by "new"
> project leaders i.e. those whose are managing their first OWASP
> Project without local support from senior OWASP Members i.e. Only
> Justin Derry was available in Australia during this time and while he
> offered to assist this was not extended post the OWASP Australian 2009
> Conference fallout with the OWASP Board.
>
> Had you have asked for a history of the difficulties/unknowns etc
> within the survey the GPC would have also known:
> 1. Chris Gates (metasploit), PDP (GNUCitizen) and Glen Roberts
> (Solutionary) had nominated themselves to review the project but
> according to an e-mail thread between Paulo and I (from September 2008
> until January 2009) were unable to review the project on behalf of
> OWASP as they were not OWASP members.  Subsequently, they all had to
> submit CV for the Board to approve (for some reason the GPC can't
> approve them) and I was not willing to pass on this request as it was
> insulting to their standing within the community and offer to
> volunteer their time.  In Paulo's defense he was distracted with
> preparing for the OWASP Summit in Portugal during this time and
> apologies when he responded to each e-mail.
> 2. As I was unable to locate an OWASP reviewer I deleted the
> repository as I was unsure if OWASP had any interest reviewing the
> project due to the deprecation of the SOAP Search API, the fact that
> it was PoC v0.1, etc but held onto the namespace if this changed.
> 3.  That stated, Tom Brennan trying to kill the project was inferred
> in my response to "If not, what is the reason that you do not wish to
> be considered for industry partnership?" based on an e-mail thread
> with Paulo and I during August 2008 but I am now confused on OWASP
> position on condoning the violation of Google's Terms of Service in
> light of claiming to be "open".
>
> Post this survey (i.e. at OWASP EU 2008), the GPC did not want to
> discuss my project when I am raised that I had rescheduled the release
> from RUXCON 2K8 as per the survey i.e. during the Leaders/GPC Meeting
> i.e. http://www.flickr.com/photos/appseceu09/, rather the discussion
> focused on the consequence of marking projects inactive, etc which I
> mentioned above.
>
> I also received IN-CONFIDENCE information on the Google SOAP Search
> API (i.e. it wasn't deprecated because of the AJAX Search API) from
> Tavis Ormandy (Google) during CONFidence 2009 which I made Dinis aware
> of.
>
> Finally, the deprecation of the SOAP Search API in September 2009
> occurs *after* OWASP finally decides to review the project i.e.
> https://lists.owasp.org/pipermail/owasp-google-hacking/2009-October/000004.html
> - neither was I contacted in March 2010.
>
>>> Ironically, the whole Google Hacking situation is a great lens to view
>>> our efforts through. The problems OWASP is dealing with right now for
>>> that project are exactly the problems we were thinking about when we
>>> started our agenda... if we can only make some faster progress, we
>>> might be able to preempt this kind of event in the future.
>
> These are some of the recommendations from the response that I will be
> shortly releasing:
> 1. Relocate the responsibility of selecting Project Reviewer who are
> not OWASP members from the board to the GPC.
> 2. Create additional metadata which communicates that unique projects
> with a limited shelf life, such as the OWASP "Google Hacking" Project.
> 3. Each OWASP Project should be reviewed based on a schedule (i.e. not
> by signaling that it is ready for review) which could be timeslice
> across all other projects.
> 4. Reconsider Andrew van der Stock's proposal to become a full time employee
> 5. Remove members from the GPC would are also leaders of significant
> projects i.e. it should consist of a majority of dedicated reviewers
> only.
>
> --
> Regards,
> Christian Heinrich - http://www.owasp.org/index.php/user:cmlh
> OWASP "Google Hacking" Project Lead - http://sn.im/owasp_google_hacking
>


More information about the Global-projects-committee mailing list