[Owasp-board] IMPORTANT: Proposed (revised) model for the 'OWASP Commercial Services' pages

dinis cruz dinis.cruz at owasp.org
Tue Jun 1 14:28:12 UTC 2010


Good idea Eoin, and I will send that request/vote as soon as we get some
comments from Jeff, Dave and Tom

I really would like to hear what they have to say about the proposed 'OWASP
Commercial Services' model.

Dinis Cruz


On 1 June 2010 15:15, Eoin <eoin.keary at owasp.org> wrote:

> My suggestion;
>
> Please send the proposal with no "noise" in the email, simply the proposal,
> so we can review and agree/disagree with this project.
>
>
> 1. Is this a viable project. (please reflect on the benefit to OWASP in
> making this decision) (Y/N)
> 2. If (Y), are the stated governance articles sufficient? Do they need any
> amendment, adjustment?
>
>
> Eoin
> On 1 June 2010 13:49, dinis cruz <dinis.cruz at owasp.org> wrote:
>
>>
>> On 1 Jun 2010, at 13:08, Tom Brennan - OWASP <tomb at owasp.org> wrote:
>>
>>   Great clarrification, good framework.
>>
>> Thanks, any problems with presenting this to the leaders as a model that
>> makes sense to the OWASP Board for the 'OWASP Commercial Services'?
>>
>>   Has this draft been shared with mike yet?
>>
>>
>> The answer to your question is at the bottom on my email. I did call him
>> and spent 16m trying to explain it to him.
>>
>> He refused to understand, did not agree with the model, and took personal
>> offence to my comments.
>>
>>   Perhaps we should share this, request his proposal in a similar write
>> up and then invite him to the next board meeting to compare models "open"
>> and a final vote on the topic after hearing both sides. Typically this would
>> be a GPC focus.
>>
>>
>> Of course I want to share this (and we need to do it with the 'OWASP Board
>> voice') .But Mike's latest actions (namely the emails he sent yesterday to
>> the list AFTER he spoke to me) create a situation where we will have to
>> contradict him.
>>
>>   Might be politically correct, but we want to encourage volenteerism and
>> use this as another example of how OWASP really works.
>>
>>
>> Of course that we want, but there is a moment where we have to draw a
>> line, and in this case Mike crossed several lines that he shouldn't have
>> crossed
>>
>> Like I said in my previous email, in my view, there are two courses of
>> action which we need to decide on ASAP (i.e. today)
>>
>> 1) Approve a model that the board recommends as the 'current proposed
>> model to see if we can get this to work' (based on the model I present
>> below (please fell free to propose changes))
>>
>> 2) Start the process of opening an 'OWASP Inquire' on Mike's actions as
>> OWASP Leader (which we will also have to communicate to the leaders list)
>>
>> To make 1) more calm in the short term, we also need to remove Mike from
>> that project/initiative and leave me and Eoin in there
>>
>> Dinis
>>
>>
>>
>>
>>
>>
>>
>> On Jun 1, 2010, at 4:49 AM, Eoin < <eoin.keary at owasp.org>
>> eoin.keary at owasp.org> wrote:
>>
>>   Dinis/Board,
>> also as discussed in London,
>> There needs to be minimum number of feedback entries (3 or so?) before any
>> feedback is posted to ensure fairness and avoid targeted emotive reviews.
>>
>> Eoin
>>
>>
>> On 31 May 2010 20:17, dinis cruz < <dinis.cruz at owasp.org><dinis.cruz at owasp.org>
>> dinis.cruz at owasp.org> wrote:
>>
>>> Board
>>>
>>> After much discussion with a lot of OWASP leaders (both online and
>>> personally) and after receiving a lot of direct comments/worries about how
>>> it was currently being set-up (and lead), I think we (the OWASP Leaders in
>>> London last week) have come up with a model that should work, and is VERY
>>> compatible with OWASP values and focus on visibility.
>>>
>>> Here are the proposed model (read it twice (since the first couple
>>> Articles will only really make sense the 2nd time round :)  )
>>>
>>> ------------------------------
>>>
>>> Article 1: The OWASP Commercial Services (hosted at <http://www.owasp.org/index.php/Commercial_Services><http://www.owasp.org/index.php/Commercial_Services>
>>> http://www.owasp.org/index.php/Commercial_Services) is a service
>>> provided by OWASP to its community aimed at:
>>>                         a) exposing the OWASP Community to companies
>>> providing commercial services (good or bad) around one or more OWASP
>>> Projects (Tools or Documents)
>>>                         b) reward companies, individuals or OWASP Leaders
>>> that provide successful commercial (i.e. paid for) services around OWASP
>>> Projects (with the hope that this will create a positive investment cycle
>>> that will greatly benefit those OWASP Projects and community)
>>>
>>> Article 2: The Companies or Individuals providing these commercial
>>> services ARE NOT ALLOWED to post on the 'OWASP Commercial Services' area any
>>> details about the services they currently provide
>>>
>>> Article 3: The only 'entities' that ARE ALLOWED to post on the 'OWASP
>>> Commercial Services' area are existing OWASP Members who are/were CLIENTS of
>>> those services, and who, ON THE RECORD, have to provide a comment (good or
>>> bad) about the services they receive.
>>>
>>> Article 4: The Companies or Individuals providing these commercial
>>> services ARE ALLOWED to comment on the comments made about them (i.e. from
>>> Article 3.)
>>>
>>> Article 5: ONLY the OWASP Project/Chapter Leaders ARE ALLOWED, at
>>> their discretion, good taste and common sense, to regularly communicate
>>> (i.e. advertise) to THEIR PROJECT MAILING LIST the commercial services
>>> provided around their project/chapter
>>>
>>> Article 6: There will be very clear points of contact for the reporting
>>> of any abuses on the 'OWASP Commercial Services' model (which optionally can
>>> be made anonymously). Any reports will will be investigated by a team made
>>> of several OWASP Committee and Board members, with their findings and
>>> recommendations acted upon.
>>>
>>> Article 7: The first phase of the 'OWASP Commercial Services' will be
>>> implemented on top of the existing OWASP Website engine (i.e. MediaWiki) and
>>> as the transaction volume grows, and if needed, the service will move to a
>>> more powerful community/social web solution
>>>
>>> ------------------------------
>>>
>>> And that's it :)
>>>
>>> Here is what I like about this model and the problems it solves/prevents:
>>>
>>>    - it puts our community at the heard of this service in a way they
>>>    they also have a lot to benefit from its existence (in fact, we do this
>>>    right and some companies could even join because of this)
>>>    - It only allows existing and (hopefully) successful commercial
>>>    deliveries of 'OWASP Projects related services' to be listed (i.e. there is
>>>    a hard requirement that the listings start with a 'real world' delivery of
>>>    one of these services)
>>>    - prevents the proactive existence  of 'Marketing Speak', of the
>>>    tendency to write a 'Super list of ALL potential OWASP related services
>>>    provided by Company XYZ' and (more importantly) the exaggeration of the type
>>>    of services provided
>>>    - It creates a way for our projects/chapter leaders to advertise to
>>>    their communities the services being provided around their project
>>>    (including the ones they (the project leader) are providing and delivering)
>>>    - The room for abuse is quite limited by the fact that everything is
>>>    on the record (although we have to leave an obvious open channel  for direct
>>>    reports on such abuses)
>>>    - The fact that we put the onus of managing these commercial
>>>    communities on the project/chapter leader (or whoever he delegates to),
>>>    creates a nice 'self protecting system'. This happens because the
>>>    project/chapter leaders are 'by design' pressured to have an independent and
>>>    balance opinion/position (since if he/she abuses his/her community he/she
>>>    will be killing it)
>>>    - finally if we get this right, we should see a huge increase in the
>>>    number of OWASP Leaders being directly paid to work on OWASP projects, which
>>>    has to be a good thing :)
>>>
>>>
>>> What do you think?
>>>
>>> Lets see if we can get a consensus from the board on this one, so that we
>>> can present this to the owasp-leaders and, vote on it at the OWASP Board
>>> meeting next week.
>>>
>>> (Btw, I just called Mike Boberski to explain him this 'revised' model and
>>> he was NOT happy with this model, but that is the topic for another email)
>>>
>>> Dinis Cruz
>>>
>>>
>>> _______________________________________________
>>> Owasp-board mailing list
>>> <Owasp-board at lists.owasp.org> <Owasp-board at lists.owasp.org>
>>> Owasp-board at lists.owasp.org
>>>  <https://lists.owasp.org/mailman/listinfo/owasp-board><https://lists.owasp.org/mailman/listinfo/owasp-board>
>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>
>>>
>>
>>
>> --
>> Eoin Keary
>> OWASP Global Board Member
>> OWASP Code Review Guide Lead Author
>>
>> <http://asg.ie/> <http://asg.ie/>http://asg.ie/
>>  <https://twitter.com/EoinKeary> <https://twitter.com/EoinKeary>
>> https://twitter.com/EoinKeary
>>
>>  _______________________________________________
>> Owasp-board mailing list
>> <Owasp-board at lists.owasp.org>Owasp-board at lists.owasp.org
>>  <https://lists.owasp.org/mailman/listinfo/owasp-board>
>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>
>
>
> --
> Eoin Keary
> OWASP Global Board Member
> OWASP Code Review Guide Lead Author
>
> http://asg.ie/
> https://twitter.com/EoinKeary
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20100601/b23335cb/attachment-0002.html>


More information about the Owasp-board mailing list