[Owasp-board] (only board) Issue with Mike B Fwd: [Owasp-leaders] Commercial Services Registry -- Live!

Eoin eoin.keary at owasp.org
Fri May 14 14:13:45 UTC 2010


What day is the summit on? and what time?

On 14 May 2010 15:09, Tom Brennan <tomb at owasp.org> wrote:

>
> Seems like the face-to-face value of the OWASP Summit in Sweden will be
> very interactive so we need to try to get the players in the room.
>
> Like most orgs., that have missions and agendas - it is useful to do a full
> day meeting to hash out the 12 month - 24 month and beyond plan - its time
> prior to a fork in the org.
> I
>
>
>
>  On May 14, 2010, at 9:20 AM, Eoin wrote:
>
>  Guys,
> To be honest,
>
> I raised issues re the commercial registry weeks ago and *got very little
> support* from any of the board imho.
>
> *The issue of governance is still on my mind*. I have seen it too many
> times before; a great organisation or project that gets corrupted or twisted
> by commercial interests......*I dont want OWASP to look like ISC2 in 5
> years time* where all the leadership is concerned with are membership
> funds, funding, commercial vehicles etc... I did not get involved with OWASP
> 6 years ago for that.
>
> *We need to control this open-source - commercial relationship* in a
> measured way. Sometimes I personally feel its getting a little out of
> control. We need to take it a little slower and think in a strategic manner.
>
> It appears/feels sometimes that those who shout louder get heard and some
> board members are "more equal" than others.
>
> Mike is great but I also got some shite emails from him, that for me that
> is like waving a red rag to a bull. He does not take direction very well. I
> believe no one person owns any project, OWASP is the ultimate parent i.e.
> The board.
>
> So these are my thoughts on the issue, my cards on the table, if you will.
>
> -ek
>
>
>
>
>
>
>
>
> On 14 May 2010 01:32, dinis cruz <dinis.cruz at owasp.org> wrote:
>
>> Ok, I have tried to be REALLY patient and politically correct here, but
>> I'm running out of arguments (and he doesn't read my answers so it is a bit
>> pointless to try to change his mind)
>>
>> Please see the thread below and advise on the next steps.
>>
>> Jeff or Dave, since Mike B is close to you, are you able to talk to him?
>>
>> In the past, I was never happy with MIke B. lack respect for our community
>> and his 'way over the top' ASVS promotion (which was never a big issue since
>> ASVS never really took of), BUT this project (Commercial Services) is WAY to
>> critical for OWASP to continue like this, so either he changes or we have to
>> take over it and find a new leader.
>>
>> What do you think?
>>
>> Dinis
>>
>>
>> ---------- Forwarded message ----------
>> From: dinis cruz <dinis.cruz at owasp.org>
>> Date: 14 May 2010 01:25
>> Subject: Re: [Owasp-leaders] Commercial Services Registry -- Live!
>> To: mike.boberski at gmail.com
>>
>>
>> Mike we might need to talk this over the phone since you are not
>> understanding my worries and I don't think we are communicating here.
>>
>>  Also you are confusing the issues.
>>
>> The email to the leaders list was about the case of *Training Courses
>> around OWASP projects*, which is an very specific variation of the bigger
>> 'Commercial Services' database that you are working on (for example the
>> course's have the specific scenario of the leaders doing/selling the
>> training). Of course that there is overlap, and in fact, this type of
>> analysis is one of the things I fell is currently missing form the OWASP Commercial
>> Services <http://www.owasp.org/index.php/Commercial_Services> project
>> (i.e. we will need to do similar analysis for the other type of Comercial
>> Services that can be provided around OWASP Projects))
>>
>> My direct email to you was about the current state of the 'Commercial
>> Services' page and my worries about how it is currently being presented.
>>
>> Mike, I would recommend that you take a deep breath, re-read my emails and
>> re-think your attitude to your fellow OWASP community members.
>>
>> The 'Commercial Services' initiative is a very powerful but also very
>> dangerous endeavour for OWASP, and we have to make sure that our community
>> supports it. Which means that whoever is leading the 'Commercial Services'
>> OWASP project (and it is a project) needs to have a LOT of sensitivity (and
>> diplomacy) when presenting and handling it.
>>
>> *To be 100% honest with you Mike, it is great that you had the energy to
>> kick start the OWASP **Commercial Services*<http://www.owasp.org/index.php/Commercial_Services>
>> * project, BUT you are being to cavalier, insensitive and apparently not
>> aware of the massive implications (both good or bad) that this project has
>> for OWASP.*
>> *
>> *
>> *I REALLY ask you to have a change of heart and change your attitude,
>> since if you don't, my view is that you can't continue to lead the
>> the OWASP **Commercial Services*<http://www.owasp.org/index.php/Commercial_Services>
>> * project.*
>>
>> Since you probably wont following my advice and will be very annoyed with
>> me, can I at least recommend that you have a word with Jeff about this? (I
>> will forward this thread to the board so he will be aware of the issue)
>>
>> Hopefully we can work this out,
>>
>> Best regards
>>
>> Dinis Cruz
>>
>>
>>
>> On 14 May 2010 00:55, Mike Boberski <mike.boberski at gmail.com> wrote:
>>
>>> Let me follow up more on this.
>>>
>>> If you cut the legs out from under this registry before we can get at
>>> least some people to sign on, you'll kill it.
>>>
>>> Kate's not alone on vetting descriptions, we're going to work together,
>>> and enlist any additional help needed to get this going as smoothly as
>>> possible.
>>>
>>> I don't want to be a dick but your note to leaders pissed me off. Sorry.
>>> Should've kept chatting with me. I'm ok with discussing publicly if that's
>>> what you choose.
>>>
>>> Mike
>>>
>>>
>>>
>>> On Thu, May 13, 2010 at 7:49 PM, Mike Boberski <mike.boberski at gmail.com>wrote:
>>>
>>>> I don't understand what your objections are. If you're a defender, let's
>>>> continue on. Certainly we can adapt as we go with criteria. I completely
>>>> object to this being put into a project criteria, it is the same from an
>>>> OWASP perspective as jobs page.
>>>>
>>>> Mike
>>>>
>>>>
>>>>
>>>> On Thu, May 13, 2010 at 7:21 PM, dinis cruz <dinis.cruz at owasp.org>wrote:
>>>>
>>>>> Mike, just to clarify something, you know that I am on the OWASP Board
>>>>> right?
>>>>>
>>>>> We have talked several times about this topic at OWASP Board meetings
>>>>> (and in fact I was one of the big defenders to move this forward and to try
>>>>> to figure out how to do this (I also have been thinking about this issue for
>>>>> a couple years now, have a good idea of how we could make this work, and
>>>>> just like you, have spoken to Jeff about it))
>>>>>
>>>>> See also below a couple more comments on your answers:
>>>>>
>>>>>  On 13 May 2010 23:18, Mike Boberski <mike.boberski at gmail.com> wrote:
>>>>>
>>>>>> Hi Dinis, thanks for writing.
>>>>>>
>>>>>> Right now it's being administered *exactly* like the jobs page. The
>>>>>> page is locked and requests go to Kate. It doesn't really fit the mold as an
>>>>>> OWASP project per se, is no different than the jobs page basically.
>>>>>>
>>>>>
>>>>> I beg to differ, this is a very different beast when compared with the
>>>>> Jobs page (with massive good and bad implications)
>>>>>
>>>>>
>>>>>> So, while initially described as a "project", not really.
>>>>>>
>>>>>
>>>>> Well OWASP projects cover a very wide range of topics and activities
>>>>> so although this 'initiative' is not really a tool or a document, it has the
>>>>> same needs for: project leader, description, mailing list, etc.. (i.e. the
>>>>> information we capture with the Project Informations tab)
>>>>>
>>>>>
>>>>> So unless you disagree, I will ask Paulo to create this project and put
>>>>> you and me as the project leaders (anybody else we should invite to the
>>>>> leadership of this project)
>>>>>
>>>>>
>>>>>>
>>>>>> We're live, waiting for applications.
>>>>>>
>>>>>
>>>>> And this is exactly my worry, I don't think this initiative is ready
>>>>> for prime-time since we are still quite far away from having a working model
>>>>> that works (and one that our community is confortable with)
>>>>>
>>>>> In fact, just the fact that we don't have any real-world data in there
>>>>> (i.e. real cases of companies/individuals that provide these services)
>>>>> justifies the use on these pages of BETA or *'we are still trying to
>>>>> figure out how to do this' *tags
>>>>>
>>>>>
>>>>>> I actually don't know your affiliation, but please do go ahead and
>>>>>> submit an application.
>>>>>>
>>>>>
>>>>> I'm raising my concerns and opinions as an OWASP Board member (not as a
>>>>> company/individual wanting to be listed)
>>>>>
>>>>>
>>>>>> A Booz Allen one will be forthcoming for example, but I wasn't able to
>>>>>> start the company machinery until the registry was up. Will take a little
>>>>>> bit of time for the Booz Allen, since have to describe an approach, rather
>>>>>> than use a single generic already vetted description. I know a number of
>>>>>> other companies are in the same state based on inquiries. The example is
>>>>>> helpful I think to leave up for right now, it will be removed once a first
>>>>>> listing in each category is ready.
>>>>>>
>>>>>
>>>>> Sure, but please take into consideration that these are not the final
>>>>> rules of engagement, and only as we try this out, will we be able to figure
>>>>> out what works (and what is accepted by our community)
>>>>>
>>>>>>
>>>>>> While I completely appreciate that it may look like it was me on my
>>>>>> own based on the leaders mail list, there have been very lengthly
>>>>>> conversations with Jeff and Dave, I didn't just toss it up, it was only done
>>>>>> with Jeff's permission. This is from a certain point of view since we've not
>>>>>> chatted on this topic (which I'm happy to do, hopefully this email is
>>>>>> evidence), a culmination of more than two years of conversations with Jeff
>>>>>> and Dave and others, as I'd tried to stand this up in tandem with ASVS,
>>>>>>
>>>>>
>>>>> I'm aware of that and I fully appreciate the effort you have put into
>>>>> this.
>>>>>
>>>>>
>>>>>> so rest assured every detail has been carefully, *painfully*, planned
>>>>>> out.
>>>>>>
>>>>>
>>>>> Where can I see this?
>>>>>
>>>>> So far I have seen the original document you sent, the emails and the
>>>>> FAQ on the main 'Commercial Services' page.
>>>>>
>>>>> Did I miss anything?
>>>>>
>>>>> There are a lot of unanswered questions (and I have already started to
>>>>> hear muthed noises/worries about this), so we really need to build up that
>>>>> FAQ and put as much information as possible on those WIKI Pages
>>>>>
>>>>>
>>>>>> We did make tweaks after the initial RFC email as well, to take into
>>>>>> account community input.
>>>>>>
>>>>>
>>>>> yap I saw that.
>>>>>
>>>>> Let's make this happen :)
>>>>>
>>>>> Best regards
>>>>>
>>>>> Dinis Cruz
>>>>>
>>>>
>>>>
>>>
>>
>>
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>
>
>
> --
> Eoin Keary
> OWASP Global Board Member
> OWASP Code Review Guide Lead Author
>
> http://asg.ie/
> https://twitter.com/EoinKeary
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
>
>
>


-- 
Eoin Keary
OWASP Global Board Member
OWASP Code Review Guide Lead Author

http://asg.ie/
https://twitter.com/EoinKeary
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20100514/3ce4db2a/attachment-0002.html>


More information about the Owasp-board mailing list