[GPC] After AppSec Research

Jason Li jason.li at owasp.org
Fri Mar 25 11:00:00 EDT 2011


David,

As far as I know, project leaders can name the project as they see fit. If I
recall correctly, there are a few projects that have not adopted the OWASP
name (JBroFuzz, OpenSAMM, etc)

However, since there's such a large number of projects that _do_ take the
OWASP mantle as part of their name, I would just warn you that there's
probably going to be community members that end up referring to the project
as OWASP OPA by default.

-Jason

On Fri, Mar 25, 2011 at 8:38 AM, David Rajchenbach-Teller <
David.Teller at mlstate.com> wrote:

> Oh, and our CEO adds « the project must still be called OPA, not OWASP OPA
> ».
> Does this still fit in the OWASP project policies?
>
> Best regards,
>  David
>  --
>   David Rajchenbach-Teller
>   CSO, MLstate
>
>
>
>
> On Mar 21, 2011, at 6:49 PM, Jason Li wrote:
>
> The answer to all of the questions under the current project guidelines is
> yes, with one caveat:
>
>> - the project needs a wiki, but can also have its own external website
>> with,
>
> say, examples, forums, etc. - but also commercial offers such as paying
>
> support, books, etc.;
>
>
> More accurately, the project needs to have a wiki page on the *OWASP wiki*.
> The project wiki page is meant to be the face of the project. As such, the
> OWASP wiki page should contain all the information necessary for an OWASP
> consumer to understand what the project is about --- which can be
> supplemented by an external website. But we don't want users to *have* to
> jump, nor do we want the wiki page to just be a link or trackback to an
> external project page. We want our OWASP Projects to be a part of, and
> consider themselves a part of, the OWASP community. The OWASP LiveCD project
> is an example of a project where, despite the fact that much of the project
> is hosted at an external website, the project leader (Matt) generally
> references http://www.owasp.org/index.php/Category:OWASP_Live_CD_Projectas his project home page.
>
> Let us know if you decide to make your project an OWASP project or if you
> have any other questions about OWASP.
>
> -Jason
> OWASP Global Projects Committee Chair
>
> On Mon, Mar 21, 2011 at 12:41 PM, Dave Wichers <dave.wichers at owasp.org>wrote:
>
>> I believe the answers to all of these questions is yes, but we haven't had
>> such a large project come to OWASP before so I think we need to make sure.
>>
>> OWASP has a project's committee which would be the best venue to get these
>> questions sorted out/answered properly.
>>
>> I'm introducing them to this discussion and bowing out. But I'll monitor
>> the
>> thread and if I'm asked for an opinion that I'll be happy to provide one.
>>
>> -Dave
>>
>> -----Original Message-----
>> From: David Rajchenbach-Teller [mailto:David.Teller at mlstate.com]
>> Sent: Monday, March 21, 2011 6:10 AM
>> To: Dave Wichers
>> Subject: Re: After AppSec Research
>>
>>         Hi Dave,
>>  Sorry for the lack clarity, I actually didn't mean OWASP project yet,
>> just
>> open-source project for the moment. We tend to believe that this might be
>> one of the most important open-sourcing events of the year, given the
>> amount
>> of work that has gone into the development of OPA (between 50 and 100
>> man.year, by my account).
>>
>> However, since our last discussion, I've read  the OWASP Project
>> guidelines
>> [1], and it seems that, if I understand it correctly, we could make OPA an
>> OWASP project (note the conditionals - I'm not the one who can give the
>> greenlight).  Just let me recapitulate to be sure that we're on the same
>> wavelength:
>> - making it an OWASP project does not require any transfer of ownership,
>> copyright, etc.;
>> - BSD, GPL and Affero GPL are acceptable licenses for the source code and
>> documentation;
>> - the project leader is in charge of accepting/rejecting contributions,
>> based on quality, compatibility with project objectives and compatibility
>> with project license;
>> - in this case, the project leader is essentially MLstate (or, more
>> precisely, one of our employees);
>> - the project needs a wiki, but can also have its own external website
>> with,
>> say, examples, forums, etc. - but also commercial offers such as paying
>> support, books, etc.;
>> - the wiki can contain our logos (as sponsors/main authors);
>> - the leader is in charge of managing the wiki, the source repository
>> (which
>> would probably be github, in any case), bug tracking, etc.;
>>
>> Is that correct? As you can see, as much as we (and specially I) like
>> open-source, we'd like to be sure that we don't lose either the visibility
>> on the company or the ability to steer OPA towards high security standards
>> -
>> and that's not just market-speech, we have a great team working on
>> constantly improving every aspect of OPA, and it would be a shame to waste
>> this work.
>>
>> Best regards,
>>  David
>>
>> [1] http://www.owasp.org/index.php/Guidelines_for_OWASP_Projects
>>
>> On Mar 18, 2011, at 7:56 PM, Dave Wichers wrote:
>>
>> > And you can ignore my comments about AppSec US. For some reason I had
>> > in my head you were a U.S. company, which you are not. So AppSecEU
>> > would be perfect.
>> >
>> > -Dave
>> >
>> > -----Original Message-----
>> > From: Dave Wichers [mailto:dave.wichers at owasp.org]
>> > Sent: Friday, March 18, 2011 2:49 PM
>> > To: 'David Rajchenbach-Teller'
>> > Subject: RE: After AppSec Research
>> >
>> > That's awesome. And I assume you mean making it an OWASP project too?
>> >
>> > I think AppSecEU would be great, but AppSecUS is in Sept. and might be
>> > more interesting to your constituency, but you could 'announce' it/do
>> > talks at both.
>> >
>> > OWASP will be happy to promote your new project to all of our members
>> > via our leaders list. And then conference talks will create more
>> > visibility. We typically don't advertise outside of OWASP except via our
>> conferences.
>> > Obviously, it will be on our portal and if you can advance it to what
>> > we refer to as a release quality project (which isn't that hard
>> > actually), then that will help it stand out from the crowd of other
>> OWASP
>> projects.
>> >
>> > In addition, we have a Global Projects Committee and they may be able
>> > to help you promote your project and solicit participants in your
>> effort.
>> >
>> > I can introduce you if you'd like.
>> >
>> > I also need to introduce you to Paulo who can help you set up your
>> > OWASP project page, mailing list, etc. Where is your code currently
>> > housed by the way. In some open source repository yet? If not, I'd
>> > recommend Google code, but we aren't majorly picky about where it is,
>> > as long as its out in the open.
>> >
>> > -Dave
>> >
>> > -----Original Message-----
>> > From: David Rajchenbach-Teller [mailto:David.Teller at mlstate.com]
>> > Sent: Friday, March 18, 2011 1:47 PM
>> > To: Dave Wichers
>> > Subject: Re: After AppSec Research
>> >
>> >       Hi Dave,
>> >
>> > Well, it took us quite some time and convincing, but we finally have
>> > the green light for the open-sourcing. If things proceed as planned,
>> > everything should be up and running before AppSecEU 2011. Which brings
>> > me to a few
>> > points:
>> > - do you think that AppSecEU would be a good place for the official
>> > announcement?
>> > - is there a chance that OWASP could give us a hand for gaining
>> visibility?
>> > - more generally, do you have suggestions on how to best give
>> > visibility to OPA?
>> >
>> > Thanks,
>> > David
>> >
>> > On Jun 28, 2010, at 2:26 PM, Dave Wichers wrote:
>> >
>> >> Excellent. Always glad to hear about new open source. Would you
>> >> consider making it an OWASP project?? This could potentially bring
>> >> more eyeballs as well as potential contributors to your effort.
>> >>
>> >> If not, that's perfectly fine, but figured I would ask :-)
>> >>
>> >> -Dave
>> >>
>> >> -----Original Message-----
>> >> From: David Rajchenbach-Teller [mailto:David.Teller at mlstate.com]
>> >> Sent: Monday, June 28, 2010 4:28 AM
>> >> To: dave.wichers at owasp.org
>> >> Subject: After AppSec Research
>> >>
>> >>      Hi Dave,
>> >> Nice talking to you at AppSec Research last week. I realized after
>> >> our conversation on language & paradigm change that I had forgotten
>> >> to mention one important point: we are aiming to open-source our OPA
>> >> technology. No definite date on this topic yet, but it's in the
>> >> wheels. I sincerely hope that we can push the web towards saner
>> > foundations.
>> >>
>> >> Best regards,
>> >> David
>> >>
>> >> --
>> >> David Rajchenbach-Teller
>> >> Head of R&D
>> >> MLstate
>> >>
>> >>
>> >
>> > --
>> > David Rajchenbach-Teller
>> > Head of R&D
>> > MLstate
>> >
>> >
>>
>> --
>> David Rajchenbach-Teller
>>  Head of R&D
>>  MLstate
>>
>>
>> _______________________________________________
>> Global-projects-committee mailing list
>> Global-projects-committee at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/global-projects-committee
>>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/global-projects-committee/attachments/20110325/942dca89/attachment.html 


More information about the Global-projects-committee mailing list