[Owasp-board] (only board) Issue with Mike B Fwd: [Owasp-leaders] Commercial Services Registry -- Live!

Eoin eoin.keary at owasp.org
Fri May 14 13:20:27 UTC 2010


Guys,
To be honest,

I raised issues re the commercial registry weeks ago and *got very little
support* from any of the board imho.

*The issue of governance is still on my mind*. I have seen it too many times
before; a great organisation or project that gets corrupted or twisted by
commercial interests......*I dont want OWASP to look like ISC2 in 5 years
time* where all the leadership is concerned with are membership funds,
funding, commercial vehicles etc... I did not get involved with OWASP 6
years ago for that.

*We need to control this open-source - commercial relationship* in a
measured way. Sometimes I personally feel its getting a little out of
control. We need to take it a little slower and think in a strategic manner.

It appears/feels sometimes that those who shout louder get heard and some
board members are "more equal" than others.

Mike is great but I also got some shite emails from him, that for me that is
like waving a red rag to a bull. He does not take direction very well. I
believe no one person owns any project, OWASP is the ultimate parent i.e.
The board.

So these are my thoughts on the issue, my cards on the table, if you will.

-ek








On 14 May 2010 01:32, dinis cruz <dinis.cruz at owasp.org> wrote:

> Ok, I have tried to be REALLY patient and politically correct here, but I'm
> running out of arguments (and he doesn't read my answers so it is a bit
> pointless to try to change his mind)
>
> Please see the thread below and advise on the next steps.
>
> Jeff or Dave, since Mike B is close to you, are you able to talk to him?
>
> In the past, I was never happy with MIke B. lack respect for our community
> and his 'way over the top' ASVS promotion (which was never a big issue since
> ASVS never really took of), BUT this project (Commercial Services) is WAY to
> critical for OWASP to continue like this, so either he changes or we have to
> take over it and find a new leader.
>
> What do you think?
>
> Dinis
>
>
> ---------- Forwarded message ----------
> From: dinis cruz <dinis.cruz at owasp.org>
> Date: 14 May 2010 01:25
> Subject: Re: [Owasp-leaders] Commercial Services Registry -- Live!
> To: mike.boberski at gmail.com
>
>
> Mike we might need to talk this over the phone since you are not
> understanding my worries and I don't think we are communicating here.
>
>  Also you are confusing the issues.
>
> The email to the leaders list was about the case of *Training Courses
> around OWASP projects*, which is an very specific variation of the bigger
> 'Commercial Services' database that you are working on (for example the
> course's have the specific scenario of the leaders doing/selling the
> training). Of course that there is overlap, and in fact, this type of
> analysis is one of the things I fell is currently missing form the OWASP Commercial
> Services <http://www.owasp.org/index.php/Commercial_Services> project
> (i.e. we will need to do similar analysis for the other type of Comercial
> Services that can be provided around OWASP Projects))
>
> My direct email to you was about the current state of the 'Commercial
> Services' page and my worries about how it is currently being presented.
>
> Mike, I would recommend that you take a deep breath, re-read my emails and
> re-think your attitude to your fellow OWASP community members.
>
> The 'Commercial Services' initiative is a very powerful but also very
> dangerous endeavour for OWASP, and we have to make sure that our community
> supports it. Which means that whoever is leading the 'Commercial Services'
> OWASP project (and it is a project) needs to have a LOT of sensitivity (and
> diplomacy) when presenting and handling it.
>
> *To be 100% honest with you Mike, it is great that you had the energy to
> kick start the OWASP **Commercial Services*<http://www.owasp.org/index.php/Commercial_Services>
> * project, BUT you are being to cavalier, insensitive and apparently not
> aware of the massive implications (both good or bad) that this project has
> for OWASP.*
> *
> *
> *I REALLY ask you to have a change of heart and change your attitude,
> since if you don't, my view is that you can't continue to lead the
> the OWASP **Commercial Services*<http://www.owasp.org/index.php/Commercial_Services>
> * project.*
>
> Since you probably wont following my advice and will be very annoyed with
> me, can I at least recommend that you have a word with Jeff about this? (I
> will forward this thread to the board so he will be aware of the issue)
>
> Hopefully we can work this out,
>
> Best regards
>
> Dinis Cruz
>
>
>
> On 14 May 2010 00:55, Mike Boberski <mike.boberski at gmail.com> wrote:
>
>> Let me follow up more on this.
>>
>> If you cut the legs out from under this registry before we can get at
>> least some people to sign on, you'll kill it.
>>
>> Kate's not alone on vetting descriptions, we're going to work together,
>> and enlist any additional help needed to get this going as smoothly as
>> possible.
>>
>> I don't want to be a dick but your note to leaders pissed me off. Sorry.
>> Should've kept chatting with me. I'm ok with discussing publicly if that's
>> what you choose.
>>
>> Mike
>>
>>
>>
>> On Thu, May 13, 2010 at 7:49 PM, Mike Boberski <mike.boberski at gmail.com>wrote:
>>
>>> I don't understand what your objections are. If you're a defender, let's
>>> continue on. Certainly we can adapt as we go with criteria. I completely
>>> object to this being put into a project criteria, it is the same from an
>>> OWASP perspective as jobs page.
>>>
>>> Mike
>>>
>>>
>>>
>>> On Thu, May 13, 2010 at 7:21 PM, dinis cruz <dinis.cruz at owasp.org>wrote:
>>>
>>>> Mike, just to clarify something, you know that I am on the OWASP Board
>>>> right?
>>>>
>>>> We have talked several times about this topic at OWASP Board meetings
>>>> (and in fact I was one of the big defenders to move this forward and to try
>>>> to figure out how to do this (I also have been thinking about this issue for
>>>> a couple years now, have a good idea of how we could make this work, and
>>>> just like you, have spoken to Jeff about it))
>>>>
>>>> See also below a couple more comments on your answers:
>>>>
>>>>  On 13 May 2010 23:18, Mike Boberski <mike.boberski at gmail.com> wrote:
>>>>
>>>>> Hi Dinis, thanks for writing.
>>>>>
>>>>> Right now it's being administered *exactly* like the jobs page. The
>>>>> page is locked and requests go to Kate. It doesn't really fit the mold as an
>>>>> OWASP project per se, is no different than the jobs page basically.
>>>>>
>>>>
>>>> I beg to differ, this is a very different beast when compared with the
>>>> Jobs page (with massive good and bad implications)
>>>>
>>>>
>>>>> So, while initially described as a "project", not really.
>>>>>
>>>>
>>>> Well OWASP projects cover a very wide range of topics and activities
>>>> so although this 'initiative' is not really a tool or a document, it has the
>>>> same needs for: project leader, description, mailing list, etc.. (i.e. the
>>>> information we capture with the Project Informations tab)
>>>>
>>>>
>>>> So unless you disagree, I will ask Paulo to create this project and put
>>>> you and me as the project leaders (anybody else we should invite to the
>>>> leadership of this project)
>>>>
>>>>
>>>>>
>>>>> We're live, waiting for applications.
>>>>>
>>>>
>>>> And this is exactly my worry, I don't think this initiative is ready for
>>>> prime-time since we are still quite far away from having a working model
>>>> that works (and one that our community is confortable with)
>>>>
>>>> In fact, just the fact that we don't have any real-world data in there
>>>> (i.e. real cases of companies/individuals that provide these services)
>>>> justifies the use on these pages of BETA or *'we are still trying to
>>>> figure out how to do this' *tags
>>>>
>>>>
>>>>> I actually don't know your affiliation, but please do go ahead and
>>>>> submit an application.
>>>>>
>>>>
>>>> I'm raising my concerns and opinions as an OWASP Board member (not as a
>>>> company/individual wanting to be listed)
>>>>
>>>>
>>>>> A Booz Allen one will be forthcoming for example, but I wasn't able to
>>>>> start the company machinery until the registry was up. Will take a little
>>>>> bit of time for the Booz Allen, since have to describe an approach, rather
>>>>> than use a single generic already vetted description. I know a number of
>>>>> other companies are in the same state based on inquiries. The example is
>>>>> helpful I think to leave up for right now, it will be removed once a first
>>>>> listing in each category is ready.
>>>>>
>>>>
>>>> Sure, but please take into consideration that these are not the final
>>>> rules of engagement, and only as we try this out, will we be able to figure
>>>> out what works (and what is accepted by our community)
>>>>
>>>>>
>>>>> While I completely appreciate that it may look like it was me on my own
>>>>> based on the leaders mail list, there have been very lengthly conversations
>>>>> with Jeff and Dave, I didn't just toss it up, it was only done with Jeff's
>>>>> permission. This is from a certain point of view since we've not chatted on
>>>>> this topic (which I'm happy to do, hopefully this email is evidence), a
>>>>> culmination of more than two years of conversations with Jeff and Dave and
>>>>> others, as I'd tried to stand this up in tandem with ASVS,
>>>>>
>>>>
>>>> I'm aware of that and I fully appreciate the effort you have put into
>>>> this.
>>>>
>>>>
>>>>> so rest assured every detail has been carefully, *painfully*, planned
>>>>> out.
>>>>>
>>>>
>>>> Where can I see this?
>>>>
>>>> So far I have seen the original document you sent, the emails and the
>>>> FAQ on the main 'Commercial Services' page.
>>>>
>>>> Did I miss anything?
>>>>
>>>> There are a lot of unanswered questions (and I have already started to
>>>> hear muthed noises/worries about this), so we really need to build up that
>>>> FAQ and put as much information as possible on those WIKI Pages
>>>>
>>>>
>>>>> We did make tweaks after the initial RFC email as well, to take into
>>>>> account community input.
>>>>>
>>>>
>>>> yap I saw that.
>>>>
>>>> Let's make this happen :)
>>>>
>>>> Best regards
>>>>
>>>> Dinis Cruz
>>>>
>>>
>>>
>>
>
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
>
>


-- 
Eoin Keary
OWASP Global Board Member
OWASP Code Review Guide Lead Author

http://asg.ie/
https://twitter.com/EoinKeary
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20100514/166ab8e4/attachment-0002.html>


More information about the Owasp-board mailing list