[Owasp-board] (only board) Issue with Mike B Fwd: [Owasp-leaders] Commercial Services Registry -- Live!

Tom Brennan tomb at owasp.org
Fri May 14 14:16:39 UTC 2010


Its my understanding that in addition to the Sweden conference it is also the 2010 OWASP Summit like what we did at APPSEC DC 2009  is this not the case?

Kate - please chime in here.

We will need to ensure we have a "direction team" formed global committee chairs and board members to make this happen.. if not sweden lets do a hotel in Washington DC for 2 days - if its important to the .org it needs to be done.




On May 14, 2010, at 10:13 AM, Eoin wrote:

> What day is the summit on? and what time?
> 
> On 14 May 2010 15:09, Tom Brennan <tomb at owasp.org> wrote:
> 
> Seems like the face-to-face value of the OWASP Summit in Sweden will be very interactive so we need to try to get the players in the room.  
> 
> Like most orgs., that have missions and agendas - it is useful to do a full day meeting to hash out the 12 month - 24 month and beyond plan - its time prior to a fork in the org.
> I 
> 
> 
> 
> On May 14, 2010, at 9:20 AM, Eoin wrote:
> 
>> Guys,
>> To be honest,
>>  
>> I raised issues re the commercial registry weeks ago and got very little support from any of the board imho.
>>  
>> The issue of governance is still on my mind. I have seen it too many times before; a great organisation or project that gets corrupted or twisted by commercial interests......I dont want OWASP to look like ISC2 in 5 years time where all the leadership is concerned with are membership funds, funding, commercial vehicles etc... I did not get involved with OWASP 6 years ago for that.
>>  
>> We need to control this open-source - commercial relationship in a measured way. Sometimes I personally feel its getting a little out of control. We need to take it a little slower and think in a strategic manner.
>>  
>> It appears/feels sometimes that those who shout louder get heard and some board members are "more equal" than others.
>>  
>> Mike is great but I also got some shite emails from him, that for me that is like waving a red rag to a bull. He does not take direction very well. I believe no one person owns any project, OWASP is the ultimate parent i.e. The board.
>>  
>> So these are my thoughts on the issue, my cards on the table, if you will.
>>  
>> -ek
>>  
>>  
>>  
>>  
>>  
>> 
>> 
>>  
>> On 14 May 2010 01:32, dinis cruz <dinis.cruz at owasp.org> wrote:
>> Ok, I have tried to be REALLY patient and politically correct here, but I'm running out of arguments (and he doesn't read my answers so it is a bit pointless to try to change his mind)
>> 
>> Please see the thread below and advise on the next steps.
>> 
>> Jeff or Dave, since Mike B is close to you, are you able to talk to him? 
>> 
>> In the past, I was never happy with MIke B. lack respect for our community and his 'way over the top' ASVS promotion (which was never a big issue since ASVS never really took of), BUT this project (Commercial Services) is WAY to critical for OWASP to continue like this, so either he changes or we have to take over it and find a new leader.
>> 
>> What do you think?
>> 
>> Dinis
>> 
>> 
>> ---------- Forwarded message ----------
>> From: dinis cruz <dinis.cruz at owasp.org>
>> Date: 14 May 2010 01:25
>> Subject: Re: [Owasp-leaders] Commercial Services Registry -- Live!
>> To: mike.boberski at gmail.com
>> 
>> 
>> Mike we might need to talk this over the phone since you are not understanding my worries and I don't think we are communicating here.
>> 
>> Also you are confusing the issues. 
>> 
>> The email to the leaders list was about the case of Training Courses around OWASP projects, which is an very specific variation of the bigger 'Commercial Services' database that you are working on (for example the course's have the specific scenario of the leaders doing/selling the training). Of course that there is overlap, and in fact, this type of analysis is one of the things I fell is currently missing form the OWASP Commercial Services project (i.e. we will need to do similar analysis for the other type of Comercial Services that can be provided around OWASP Projects))
>> 
>> My direct email to you was about the current state of the 'Commercial Services' page and my worries about how it is currently being presented.
>> 
>> Mike, I would recommend that you take a deep breath, re-read my emails and re-think your attitude to your fellow OWASP community members. 
>> 
>> The 'Commercial Services' initiative is a very powerful but also very dangerous endeavour for OWASP, and we have to make sure that our community supports it. Which means that whoever is leading the 'Commercial Services' OWASP project (and it is a project) needs to have a LOT of sensitivity (and diplomacy) when presenting and handling it.
>> 
>> To be 100% honest with you Mike, it is great that you had the energy to kick start the OWASP Commercial Services project, BUT you are being to cavalier, insensitive and apparently not aware of the massive implications (both good or bad) that this project has for OWASP.
>> 
>> I REALLY ask you to have a change of heart and change your attitude, since if you don't, my view is that you can't continue to lead the the OWASP Commercial Services project.
>> 
>> Since you probably wont following my advice and will be very annoyed with me, can I at least recommend that you have a word with Jeff about this? (I will forward this thread to the board so he will be aware of the issue)
>> 
>> Hopefully we can work this out,
>> 
>> Best regards
>> 
>> Dinis Cruz
>> 
>> 
>> 
>> On 14 May 2010 00:55, Mike Boberski <mike.boberski at gmail.com> wrote:
>> Let me follow up more on this.
>> 
>> If you cut the legs out from under this registry before we can get at least some people to sign on, you'll kill it.
>> 
>> Kate's not alone on vetting descriptions, we're going to work together, and enlist any additional help needed to get this going as smoothly as possible.
>> 
>> I don't want to be a dick but your note to leaders pissed me off. Sorry. Should've kept chatting with me. I'm ok with discussing publicly if that's what you choose.
>> 
>> Mike
>> 
>> 
>> 
>> On Thu, May 13, 2010 at 7:49 PM, Mike Boberski <mike.boberski at gmail.com> wrote:
>> I don't understand what your objections are. If you're a defender, let's continue on. Certainly we can adapt as we go with criteria. I completely object to this being put into a project criteria, it is the same from an OWASP perspective as jobs page.
>> 
>> Mike
>> 
>> 
>> 
>> On Thu, May 13, 2010 at 7:21 PM, dinis cruz <dinis.cruz at owasp.org> wrote:
>> Mike, just to clarify something, you know that I am on the OWASP Board right?
>> 
>> We have talked several times about this topic at OWASP Board meetings (and in fact I was one of the big defenders to move this forward and to try to figure out how to do this (I also have been thinking about this issue for a couple years now, have a good idea of how we could make this work, and just like you, have spoken to Jeff about it))
>> 
>> See also below a couple more comments on your answers:
>> 
>> On 13 May 2010 23:18, Mike Boberski <mike.boberski at gmail.com> wrote:
>> Hi Dinis, thanks for writing.
>> 
>> Right now it's being administered exactly like the jobs page. The page is locked and requests go to Kate. It doesn't really fit the mold as an OWASP project per se, is no different than the jobs page basically.
>> 
>> I beg to differ, this is a very different beast when compared with the Jobs page (with massive good and bad implications)
>>  
>> So, while initially described as a "project", not really.
>> 
>> Well OWASP projects cover a very wide range of topics and activities so although this 'initiative' is not really a tool or a document, it has the same needs for: project leader, description, mailing list, etc.. (i.e. the information we capture with the Project Informations tab)
>> 
>> 
>> So unless you disagree, I will ask Paulo to create this project and put you and me as the project leaders (anybody else we should invite to the leadership of this project)
>>  
>> 
>> We're live, waiting for applications.
>> 
>> And this is exactly my worry, I don't think this initiative is ready for prime-time since we are still quite far away from having a working model that works (and one that our community is confortable with)
>> 
>> In fact, just the fact that we don't have any real-world data in there (i.e. real cases of companies/individuals that provide these services) justifies the use on these pages of BETA or 'we are still trying to figure out how to do this' tags
>>  
>> I actually don't know your affiliation, but please do go ahead and submit an application.
>> 
>> I'm raising my concerns and opinions as an OWASP Board member (not as a company/individual wanting to be listed)
>>  
>> A Booz Allen one will be forthcoming for example, but I wasn't able to start the company machinery until the registry was up. Will take a little bit of time for the Booz Allen, since have to describe an approach, rather than use a single generic already vetted description. I know a number of other companies are in the same state based on inquiries. The example is helpful I think to leave up for right now, it will be removed once a first listing in each category is ready.
>> 
>> Sure, but please take into consideration that these are not the final rules of engagement, and only as we try this out, will we be able to figure out what works (and what is accepted by our community)
>> 
>> While I completely appreciate that it may look like it was me on my own based on the leaders mail list, there have been very lengthly conversations with Jeff and Dave, I didn't just toss it up, it was only done with Jeff's permission. This is from a certain point of view since we've not chatted on this topic (which I'm happy to do, hopefully this email is evidence), a culmination of more than two years of conversations with Jeff and Dave and others, as I'd tried to stand this up in tandem with ASVS,
>> 
>> I'm aware of that and I fully appreciate the effort you have put into this.
>>  
>> so rest assured every detail has been carefully, painfully, planned out.
>> 
>> Where can I see this? 
>> 
>> So far I have seen the original document you sent, the emails and the FAQ on the main 'Commercial Services' page. 
>> 
>> Did I miss anything?  
>> 
>> There are a lot of unanswered questions (and I have already started to hear muthed noises/worries about this), so we really need to build up that FAQ and put as much information as possible on those WIKI Pages
>>  
>> We did make tweaks after the initial RFC email as well, to take into account community input.
>> 
>> yap I saw that.
>> 
>> Let's make this happen :)
>> 
>> Best regards
>> 
>> Dinis Cruz
>> 
>> 
>> 
>> 
>> 
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
>> 
>> 
>> 
>> 
>> -- 
>> Eoin Keary
>> OWASP Global Board Member
>> OWASP Code Review Guide Lead Author
>> 
>> http://asg.ie/
>> https://twitter.com/EoinKeary
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
> 
> 
> 
> 
> -- 
> Eoin Keary
> OWASP Global Board Member
> OWASP Code Review Guide Lead Author
> 
> http://asg.ie/
> https://twitter.com/EoinKeary

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20100514/fc84a327/attachment-0002.html>


More information about the Owasp-board mailing list