[Owasp-board] [Owasp-leaders] OWASP leaders, we need your addresses!!!!

Dinis Cruz dinis at ddplus.net
Wed Oct 31 23:58:49 UTC 2007


Hey guys,

see the thread below,

Ivan is raising some important issues and I am curious on your comments on
my answers

Dinis

On 10/31/07, Ivan Ristic <ivan.ristic at gmail.com> wrote:
>
> Sure, I don't mind.
>
> On Oct 31, 2007 10:58 AM, Dinis Cruz <dinis at ddplus.net> wrote:
> > Hey Ivan
> >
> > Are you ok if I forward this email to the owasp-board list? I think it
> will
> > be good for them to see this thread
> >
> > Dinis
> >
> >
> >
> > On 10/31/07, Dinis Cruz <dinis at ddplus.net> wrote:
> > > Hi Ivan
> > >
> > > Thanks a lot for taking the time to put your comments down.
> > >
> > > See below my answers
> > >
> > >
> > > On 10/29/07, Ivan Ristic < ivan.ristic at gmail.com> wrote:
> > > > Yep, back.
> > > >
> > > > On 10/28/07, Dinis Cruz < dinis at ddplus.net> wrote:
> > > > > Are you back?
> > > > >
> > > > > I really would like to understand your point of view on this
> incident
> > > >
> > > > It's very nice of you to keep pressing for an explanation. Thanks
> for
> > > > that. You'll find my response below. It's written in a very
> > > > lets-improve-things spirit and I hope you'll read it that way too.
> > >
> > >
> > > Of course, and the reason I am pursuing this is to improve things for
> the
> > future :)
> > >
> > >
> > > > The main issue is that you came across, in that email, as a school
> > > > headmaster yelling at a bunch of misbehaving kids. That's not
> > > > appropriate in circumstances where people have a _hard_ duty to do
> > > > things (e.g. employer-employee relationships) and it's even less
> > > > appropriate in this situation, where we are all donating our time to
> > > > OWASP and trying to do our best while earning a living, etc. I am an
> > > > adult and I expect to be treated that way. (Just FYI, I never saw
> the
> > > > original email where the address was requested.)
> > >
> > >
> > > Sure, and I put my hands up and say 'Yap it was a bit too hash', but
> one
> > of the things I've learned with communities like this (OWASP) is that
> you
> > need strong and focused events to get the less (motivated or focused)
> people
> > to take notice.
> > >
> > > I agree that the 'give me your addresses or you're out' was a bit too
> > radical. That said OWASP is now reaching a level of maturity and usage
> that
> > we need our project leaders to take more responsibility for their
> projects
> > and activities ( i.e. they need to be more involved).
> > >
> > > The relationship between OWASP and its project leaders must be a
> > two-way-street. OWASP provides visibility, hosting, community, project
> > development standards (to be defined) and the project leaders provides
> work
> > on the project and compliance with OWASP requirements (to be defined
> :)  ).
> > >
> > > I know that we haven't done this in the past, but we need to start
> > somewhere, and the plan with the DVD release was to 'beta test' the
> system
> > and to iron out any problems before we do the major release/shipping,
> with
> > is the OWASP member pack (which will contain books, shirts, USB Stick,
> > etc...)
> > >
> > >
> > > > Not directly related to my complaint but related: I think positive
> > > > criticism would work much better. I haven't really been following
> your
> > > > emails to be able to tell, but you may be suffering from trying to
> > > > steer a large organisation where all people are far less interested
> > > > and/or energetic than you are. Personally that's the part I hate
> most
> > > > about open source/free/community projects - you cannot count on
> people
> > > > to contribute consistently.
> > >
> > >
> > > Of course, and that is the challenge that we have, and moving forward
> we
> > need to define very clear and objective rules on what constitutes an
> 'active
> > project leader', since we can't live in a world where somebody does 2
> months
> > (or two years) or very hard work, and then goes 6 months (or 2 years)
> AWOL!
> > >
> > > Man, this is a very tough problem and one we need to take some time to
> > discuss and iron out the details.
> > >
> > > This first DVD release is doing exactly what I wanted it to do, which
> is
> > to raise questions.
> > >
> > > Also, btw, you were the only one that publicly raised a problem with
> this
> > email and we had about 40 positive responses from the others. So
> hopefully
> > your response to this email (which is very important and I am sure you
> are
> > not the only one  :(  ) are not the majority of the owasp-leaders.
> > >
> > >
> > > > I also think you need to have rules in order to declare that people
> > > > are breaking them. So perhaps we should establish minimal
> requirements
> > > > for someone to be a Chapter or a project leader. Or am I missing a
> > > > bigger purpose of these DVDs?
> > >
> > >
> > > OWASP leader rules, are the key of all this, and that is what I want
> to
> > define next.
> > >
> > > I was thinking of creating a simple OWASP Project leader charter'
> which
> > clearly defines those requirements.
> > >
> > >
> > > > This is the worst part of your email:
> > > >
> > > > > So here is the deal: if you guys don't tell Yiannis your contact
> > details ( i.e. postal address)
> > > > > where you can receive official OWASP correspondence, I will add
> your
> > project to the list of
> > > > > projects that need new leadership that I will officially announced
> at
> > the next OWASP
> > > > > conference.
> > >
> > >
> > > Yeah, sorry, it is a bit hash :)
> > >
> > > That said, In my rough estimates about 50% of the current OWASP
> projects
> > and Chapters are dead and going nowhere
> > >
> > >
> > > > It's just ugly. Three issues:
> > > >
> > > > - I don't think you have the authority to decide - at a whim - the
> > > > good-enough leadership criteria. Such things must be discussed by
> the
> > > > community.
> > >
> > >
> > > Sure, and I would never do that without first consulting the
> owasp-leaders
> > community
> > >
> > >
> > > > - Even if you did (have the authority), the way you said is just
> very
> > > > impolite. I think it has damaged the community. If I were outside
> > > > OWASP I would permanently decide not to join purely on the basis of
> > > > this one email. Why would I want to be treated this way? Hey, if I
> > > > would get such emails from my boss at work I would find another job.
> > > > And for OWASP I _volunteer_ my time. You are the most exposed member
> > > > of OWASP. For many people you _are_ OWASP. So you have great
> > > > responsibility on your shoulders because (mostly) you get to set the
> > > > tone for the entire organisation. Do you want it to be a good place
> > > > where people like participating? Or a place where people yell at
> each
> > > > other?
> > >
> > >
> > > OK, we need to strike a balance, but as OWASP matures the demands on
> > project leaders (at least the ones with high visibility) will increase.
> The
> > question is how does OWASP applies that pressure right?
> > >
> > > And since everything at OWASP is Open Source the only REAL power and
> > leverage that the OWASP board (i.e. leaders as a community) have is the
> > decision of who is a project leader
> > >
> > >
> > > > - What do the addresses have to do with project leadership?
> > >
> > >
> > > In my view, they are a basic indicator of commitment.
> > >
> > > Firstly there is an argument that OWASP should know WHO the project
> > leaders are (we could agree to disagree on this one, but I think that it
> is
> > reasonable for OWASP to start to have strong Authentication processes
> for
> > the people committing code that will be used under the OWASP brand)
> > >
> > > Secondly, unless the project leader is on holidays, or doesn't read
> the
> > owasp-leaders emails at least once a week, sending the address (or a
> note
> > saying 'thanks but no thanks') is not too much to ask, don't you agree?
> > >
> > >
> > > > It seems to be you were just abusing your position to do whatever
> you
> > > > feel is the right thing to do. Not do what the community believes is
> > > > the right thing to do.
> > >
> > >
> > > But what does the comminity believe is the right thing to do? The main
> > problem with this community is its silence :)
> > >
> > > Any ideas on how to improve it?
> > >
> > >
> > > > Finally, what's the big deal with the addresses? The fact that
> people
> > > > didn't send them just shows that they are not interested. You cannot
> > > > force anything on people - they'll just throw the DVDs away after
> > > > receiving them.
> > >
> > >
> > > The DVDs are just an excuse to sort out all operation issues related
> to
> > sending stuff to OWASP members and leaders (for example it took more
> than
> > one week to get an updated list of OWASP members :)   )
> > >
> > > Let's talk further about this,
> > >
> > > Thanks again for your comments
> > >
> > > Dinis
> > >
> > >
> > >
> > >
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20071031/e478fef6/attachment-0002.html>


More information about the Owasp-board mailing list