[GPC] After AppSec Research

Jason Li jason.li at owasp.org
Mon Mar 21 13:49:33 EDT 2011


The answer to all of the questions under the current project guidelines is
yes, with one caveat:

> - the project needs a wiki, but can also have its own external website
> with,

say, examples, forums, etc. - but also commercial offers such as paying

support, books, etc.;


More accurately, the project needs to have a wiki page on the *OWASP wiki*.
The project wiki page is meant to be the face of the project. As such, the
OWASP wiki page should contain all the information necessary for an OWASP
consumer to understand what the project is about --- which can be
supplemented by an external website. But we don't want users to *have* to
jump, nor do we want the wiki page to just be a link or trackback to an
external project page. We want our OWASP Projects to be a part of, and
consider themselves a part of, the OWASP community. The OWASP LiveCD project
is an example of a project where, despite the fact that much of the project
is hosted at an external website, the project leader (Matt) generally
references http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project as
his project home page.

Let us know if you decide to make your project an OWASP project or if you
have any other questions about OWASP.

-Jason
OWASP Global Projects Committee Chair

On Mon, Mar 21, 2011 at 12:41 PM, Dave Wichers <dave.wichers at owasp.org>wrote:

> I believe the answers to all of these questions is yes, but we haven't had
> such a large project come to OWASP before so I think we need to make sure.
>
> OWASP has a project's committee which would be the best venue to get these
> questions sorted out/answered properly.
>
> I'm introducing them to this discussion and bowing out. But I'll monitor
> the
> thread and if I'm asked for an opinion that I'll be happy to provide one.
>
> -Dave
>
> -----Original Message-----
> From: David Rajchenbach-Teller [mailto:David.Teller at mlstate.com]
> Sent: Monday, March 21, 2011 6:10 AM
> To: Dave Wichers
> Subject: Re: After AppSec Research
>
>         Hi Dave,
>  Sorry for the lack clarity, I actually didn't mean OWASP project yet, just
> open-source project for the moment. We tend to believe that this might be
> one of the most important open-sourcing events of the year, given the
> amount
> of work that has gone into the development of OPA (between 50 and 100
> man.year, by my account).
>
> However, since our last discussion, I've read  the OWASP Project guidelines
> [1], and it seems that, if I understand it correctly, we could make OPA an
> OWASP project (note the conditionals - I'm not the one who can give the
> greenlight).  Just let me recapitulate to be sure that we're on the same
> wavelength:
> - making it an OWASP project does not require any transfer of ownership,
> copyright, etc.;
> - BSD, GPL and Affero GPL are acceptable licenses for the source code and
> documentation;
> - the project leader is in charge of accepting/rejecting contributions,
> based on quality, compatibility with project objectives and compatibility
> with project license;
> - in this case, the project leader is essentially MLstate (or, more
> precisely, one of our employees);
> - the project needs a wiki, but can also have its own external website
> with,
> say, examples, forums, etc. - but also commercial offers such as paying
> support, books, etc.;
> - the wiki can contain our logos (as sponsors/main authors);
> - the leader is in charge of managing the wiki, the source repository
> (which
> would probably be github, in any case), bug tracking, etc.;
>
> Is that correct? As you can see, as much as we (and specially I) like
> open-source, we'd like to be sure that we don't lose either the visibility
> on the company or the ability to steer OPA towards high security standards
> -
> and that's not just market-speech, we have a great team working on
> constantly improving every aspect of OPA, and it would be a shame to waste
> this work.
>
> Best regards,
>  David
>
> [1] http://www.owasp.org/index.php/Guidelines_for_OWASP_Projects
>
> On Mar 18, 2011, at 7:56 PM, Dave Wichers wrote:
>
> > And you can ignore my comments about AppSec US. For some reason I had
> > in my head you were a U.S. company, which you are not. So AppSecEU
> > would be perfect.
> >
> > -Dave
> >
> > -----Original Message-----
> > From: Dave Wichers [mailto:dave.wichers at owasp.org]
> > Sent: Friday, March 18, 2011 2:49 PM
> > To: 'David Rajchenbach-Teller'
> > Subject: RE: After AppSec Research
> >
> > That's awesome. And I assume you mean making it an OWASP project too?
> >
> > I think AppSecEU would be great, but AppSecUS is in Sept. and might be
> > more interesting to your constituency, but you could 'announce' it/do
> > talks at both.
> >
> > OWASP will be happy to promote your new project to all of our members
> > via our leaders list. And then conference talks will create more
> > visibility. We typically don't advertise outside of OWASP except via our
> conferences.
> > Obviously, it will be on our portal and if you can advance it to what
> > we refer to as a release quality project (which isn't that hard
> > actually), then that will help it stand out from the crowd of other OWASP
> projects.
> >
> > In addition, we have a Global Projects Committee and they may be able
> > to help you promote your project and solicit participants in your effort.
> >
> > I can introduce you if you'd like.
> >
> > I also need to introduce you to Paulo who can help you set up your
> > OWASP project page, mailing list, etc. Where is your code currently
> > housed by the way. In some open source repository yet? If not, I'd
> > recommend Google code, but we aren't majorly picky about where it is,
> > as long as its out in the open.
> >
> > -Dave
> >
> > -----Original Message-----
> > From: David Rajchenbach-Teller [mailto:David.Teller at mlstate.com]
> > Sent: Friday, March 18, 2011 1:47 PM
> > To: Dave Wichers
> > Subject: Re: After AppSec Research
> >
> >       Hi Dave,
> >
> > Well, it took us quite some time and convincing, but we finally have
> > the green light for the open-sourcing. If things proceed as planned,
> > everything should be up and running before AppSecEU 2011. Which brings
> > me to a few
> > points:
> > - do you think that AppSecEU would be a good place for the official
> > announcement?
> > - is there a chance that OWASP could give us a hand for gaining
> visibility?
> > - more generally, do you have suggestions on how to best give
> > visibility to OPA?
> >
> > Thanks,
> > David
> >
> > On Jun 28, 2010, at 2:26 PM, Dave Wichers wrote:
> >
> >> Excellent. Always glad to hear about new open source. Would you
> >> consider making it an OWASP project?? This could potentially bring
> >> more eyeballs as well as potential contributors to your effort.
> >>
> >> If not, that's perfectly fine, but figured I would ask :-)
> >>
> >> -Dave
> >>
> >> -----Original Message-----
> >> From: David Rajchenbach-Teller [mailto:David.Teller at mlstate.com]
> >> Sent: Monday, June 28, 2010 4:28 AM
> >> To: dave.wichers at owasp.org
> >> Subject: After AppSec Research
> >>
> >>      Hi Dave,
> >> Nice talking to you at AppSec Research last week. I realized after
> >> our conversation on language & paradigm change that I had forgotten
> >> to mention one important point: we are aiming to open-source our OPA
> >> technology. No definite date on this topic yet, but it's in the
> >> wheels. I sincerely hope that we can push the web towards saner
> > foundations.
> >>
> >> Best regards,
> >> David
> >>
> >> --
> >> David Rajchenbach-Teller
> >> Head of R&D
> >> MLstate
> >>
> >>
> >
> > --
> > David Rajchenbach-Teller
> > Head of R&D
> > MLstate
> >
> >
>
> --
> David Rajchenbach-Teller
>  Head of R&D
>  MLstate
>
>
> _______________________________________________
> Global-projects-committee mailing list
> Global-projects-committee at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/global-projects-committee
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/global-projects-committee/attachments/20110321/4f0bdbe2/attachment-0001.html 


More information about the Global-projects-committee mailing list