[Owasp-board] (what to do with inactive projects) Fwd: OWASPProject/Summer of Code

Dave Wichers dave.wichers at owasp.org
Thu Jun 5 14:42:48 UTC 2008

I would think that any Alpha/Beta quality projects that haven't been
actively worked on in a year should be moved to Inactive. I think we should
retain release quality projects in general, or maybe make it more like 2
years of inactivity for such projects.




From: owasp-board-bounces at lists.owasp.org
[mailto:owasp-board-bounces at lists.owasp.org] On Behalf Of Paulo Coimbra
Sent: Wednesday, June 04, 2008 4:34 PM
To: 'OWASP Foundation Board List'
Subject: Re: [Owasp-board] (what to do with inactive projects) Fwd:
OWASPProject/Summer of Code


Hello Board,


I have created a new category called 'Inactive Projects' on the
OWASP Projects page and the same one on
<https://www.owasp.org/index.php/Category:OWASP_Project_Assessment> OWASP
Project Assessment table. If you agree with this, we need to define the
respective criterion. 


Thank you. 


Paulo Coimbra, 

Project Manager 

The OWASP Foundation <https://www.owasp.org/index.php/Main_Page>  


AppSec NYC 2008 is coming...  are you ready?


From: owasp-board-bounces at lists.owasp.org
[mailto:owasp-board-bounces at lists.owasp.org] On Behalf Of dinis cruz
Sent: 04 June 2008 16:55
To: OWASP Foundation Board List
Subject: [Owasp-board] (what to do with inactive projects) Fwd:
OWASPProject/Summer of Code


A good question raised by this email thread is what to do with 'dead /
inactive' projects (specially when there is a new one focused on the same


The short term plan is to move it to a new 'inactive projects' category on
the project's page, but in the medium term we should have a more formal
process for this



---------- Forwarded message ----------
From: Achim Hoffmann <ah at securenet.de>
Date: Wed, Jun 4, 2008 at 4:36 PM
Subject: RE: OWASP Project/Summer of Code
To: Paulo Coimbra <paulo.coimbra at owasp.org>, Dinis Cruz
<dinis.cruz at owasp.org>
Cc: Achim Hoffmann <ah at securenet.de>

Hi Paulo,
Hi Dinis,

see inline below.


!! Next, I've talked about your project with Dinis Cruz
(dinis.cruz at owasp.org)
!! and we concluded that your project appears to have large similarities
!! the OWASP <http://www.owasp.org/index.php/Category:OWASP_CAL9000_Project>
!! CAL9000 Project.

yes, for sure.
As I explained in Gent, it was initially based on the code of CAL9000 in
which I also participated.
But it's much more complete now according the en-/decodings (including
some eastereggs:). A lot of bugs fixed also.

As the XHR functionality in the CAL9000 project seems to be a dead end
currently, unfortunatelly, I decided to make a split and concentrate on
the other parts.

 is someone out there to implement the functionality of JavaScript's
 XHR in java, so it works in a browser?
 IMHO it's still worth to build a fuzzing tool inside the browser, but
 that requires something better (for testers, not users) than XHR.
 Dinis, what do you think?

!! We would like to hear your opinion about this. However, if you agree with
!! us, I suggest contacting Project
!! ibutors>  Contributors to discuss further developments.

I have been in deep contact with Christopher Loomis, the author of CAL9000,
while we added some of the en-/decoding functions.

!! Nevertheless, be aware that this project seems to be a bit stagnant - as
!! will see, the project's page hasn't been changed since December 2006.

Christopher Loomis told me in mid 2006 that he will no longer develop
due to personal reasons.
(if you like, I'll grep for the original email ...)
That's the second reason why I started a new tool.

!! Therefore, it's possible that project has lost its leadership. If so,
!! consider assuming the referred role. Otherwise, please negotiate directly
!! what kind of contribution will you provide and what paths should be
!! followed. In any case, please keep us informed.

I'm willing to make my code (well, some parts are shameless copied:)
public. But I'd like to hear some opinions from others if it's worth and
if it is useful. I don't want to waste resources (my time for example)
just for something "nice to have" but not really useful.
There is still a lot of to do, improvements, bugfixes, etc.. I'd also
like to discuss further development with others as I have some more
ideas. For example I can think of integrating parts of my code into BeEF,
hackvertor or similar. Unfortunatelly the authors didn't respond to my

Making my code part of CAL9000 again will be hard work. I would not do
that as some parts of CAL9000 are no longer (in modern browsers) working
propper. This means that we improve the en-/decoding there, leaving the
rest more or less unusable. Additional there is the risk of making the
original tool unstable due to the changes.
Hence I prefer a new tool/project, leaving CAL9000 as is.

!! Please, don't hesitate to get back to me whenever you think that I can
!! with.

Here I'm.
Again, my idea is that the en-/decoding functionality (at least those
according web applications) might be useful in other tools too. It would
be great if someone else concludes to this. Then there is some challange
to continue on my work.
Do you think it's worth that you -as OWASP project leader- contact some
other authors?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20080605/57aff7a4/attachment-0002.html>

More information about the Owasp-board mailing list