[Owasp-board] (only board) Issue with Mike B Fwd: [Owasp-leaders] Commercial Services Registry -- Live!

Eoin eoin.keary at owasp.org
Fri May 14 14:18:40 UTC 2010


would like to know asap.

booking flights and have steve wonder tickets!!

On 14 May 2010 15:16, Tom Brennan <tomb at owasp.org> wrote:

>  Its my understanding that in addition to the Sweden conference it is also
> the 2010 OWASP Summit like what we did at APPSEC DC 2009  is this not the
> case?
>
> Kate - please chime in here.
>
> We will need to ensure we have a "direction team" formed global committee
> chairs and board members to make this happen.. if not sweden lets do a hotel
> in Washington DC for 2 days - if its important to the .org it needs to be
> done.
>
>
>
>
>  On May 14, 2010, at 10:13 AM, Eoin wrote:
>
> What day is the summit on? and what time?
>
> On 14 May 2010 15:09, Tom Brennan <tomb at owasp.org> wrote:
>
>>
>> Seems like the face-to-face value of the OWASP Summit in Sweden will be
>> very interactive so we need to try to get the players in the room.
>>
>> Like most orgs., that have missions and agendas - it is useful to do a
>> full day meeting to hash out the 12 month - 24 month and beyond plan - its
>> time prior to a fork in the org.
>> I
>>
>>
>>
>>  On May 14, 2010, at 9:20 AM, Eoin wrote:
>>
>>  Guys,
>> To be honest,
>>
>> I raised issues re the commercial registry weeks ago and *got very little
>> support* from any of the board imho.
>>
>> *The issue of governance is still on my mind*. I have seen it too many
>> times before; a great organisation or project that gets corrupted or twisted
>> by commercial interests......*I dont want OWASP to look like ISC2 in 5
>> years time* where all the leadership is concerned with are membership
>> funds, funding, commercial vehicles etc... I did not get involved with OWASP
>> 6 years ago for that.
>>
>> *We need to control this open-source - commercial relationship* in a
>> measured way. Sometimes I personally feel its getting a little out of
>> control. We need to take it a little slower and think in a strategic manner.
>>
>> It appears/feels sometimes that those who shout louder get heard and some
>> board members are "more equal" than others.
>>
>> Mike is great but I also got some shite emails from him, that for me that
>> is like waving a red rag to a bull. He does not take direction very well. I
>> believe no one person owns any project, OWASP is the ultimate parent i.e.
>> The board.
>>
>> So these are my thoughts on the issue, my cards on the table, if you will.
>>
>> -ek
>>
>>
>>
>>
>>
>>
>>
>>
>> On 14 May 2010 01:32, dinis cruz <dinis.cruz at owasp.org> wrote:
>>
>>> Ok, I have tried to be REALLY patient and politically correct here, but
>>> I'm running out of arguments (and he doesn't read my answers so it is a bit
>>> pointless to try to change his mind)
>>>
>>> Please see the thread below and advise on the next steps.
>>>
>>> Jeff or Dave, since Mike B is close to you, are you able to talk to him?
>>>
>>> In the past, I was never happy with MIke B. lack respect for our
>>> community and his 'way over the top' ASVS promotion (which was never a big
>>> issue since ASVS never really took of), BUT this project (Commercial
>>> Services) is WAY to critical for OWASP to continue like this, so either he
>>> changes or we have to take over it and find a new leader.
>>>
>>> What do you think?
>>>
>>> Dinis
>>>
>>>
>>> ---------- Forwarded message ----------
>>> From: dinis cruz <dinis.cruz at owasp.org>
>>> Date: 14 May 2010 01:25
>>> Subject: Re: [Owasp-leaders] Commercial Services Registry -- Live!
>>> To: mike.boberski at gmail.com
>>>
>>>
>>> Mike we might need to talk this over the phone since you are not
>>> understanding my worries and I don't think we are communicating here.
>>>
>>>  Also you are confusing the issues.
>>>
>>> The email to the leaders list was about the case of *Training Courses
>>> around OWASP projects*, which is an very specific variation of the
>>> bigger 'Commercial Services' database that you are working on (for example
>>> the course's have the specific scenario of the leaders doing/selling the
>>> training). Of course that there is overlap, and in fact, this type of
>>> analysis is one of the things I fell is currently missing form the OWASP Commercial
>>> Services <http://www.owasp.org/index.php/Commercial_Services> project
>>> (i.e. we will need to do similar analysis for the other type of Comercial
>>> Services that can be provided around OWASP Projects))
>>>
>>> My direct email to you was about the current state of the 'Commercial
>>> Services' page and my worries about how it is currently being presented.
>>>
>>> Mike, I would recommend that you take a deep breath, re-read my emails
>>> and re-think your attitude to your fellow OWASP community members.
>>>
>>> The 'Commercial Services' initiative is a very powerful but also very
>>> dangerous endeavour for OWASP, and we have to make sure that our community
>>> supports it. Which means that whoever is leading the 'Commercial Services'
>>> OWASP project (and it is a project) needs to have a LOT of sensitivity (and
>>> diplomacy) when presenting and handling it.
>>>
>>> *To be 100% honest with you Mike, it is great that you had the energy to
>>> kick start the OWASP **Commercial Services*<http://www.owasp.org/index.php/Commercial_Services>
>>> * project, BUT you are being to cavalier, insensitive and apparently not
>>> aware of the massive implications (both good or bad) that this project has
>>> for OWASP.*
>>> *
>>> *
>>> *I REALLY ask you to have a change of heart and change your attitude,
>>> since if you don't, my view is that you can't continue to lead the
>>> the OWASP **Commercial Services*<http://www.owasp.org/index.php/Commercial_Services>
>>> * project.*
>>>
>>> Since you probably wont following my advice and will be very annoyed with
>>> me, can I at least recommend that you have a word with Jeff about this? (I
>>> will forward this thread to the board so he will be aware of the issue)
>>>
>>> Hopefully we can work this out,
>>>
>>> Best regards
>>>
>>> Dinis Cruz
>>>
>>>
>>>
>>> On 14 May 2010 00:55, Mike Boberski <mike.boberski at gmail.com> wrote:
>>>
>>>> Let me follow up more on this.
>>>>
>>>> If you cut the legs out from under this registry before we can get at
>>>> least some people to sign on, you'll kill it.
>>>>
>>>> Kate's not alone on vetting descriptions, we're going to work together,
>>>> and enlist any additional help needed to get this going as smoothly as
>>>> possible.
>>>>
>>>> I don't want to be a dick but your note to leaders pissed me off. Sorry.
>>>> Should've kept chatting with me. I'm ok with discussing publicly if that's
>>>> what you choose.
>>>>
>>>> Mike
>>>>
>>>>
>>>>
>>>> On Thu, May 13, 2010 at 7:49 PM, Mike Boberski <mike.boberski at gmail.com
>>>> > wrote:
>>>>
>>>>> I don't understand what your objections are. If you're a defender,
>>>>> let's continue on. Certainly we can adapt as we go with criteria. I
>>>>> completely object to this being put into a project criteria, it is the same
>>>>> from an OWASP perspective as jobs page.
>>>>>
>>>>> Mike
>>>>>
>>>>>
>>>>>
>>>>> On Thu, May 13, 2010 at 7:21 PM, dinis cruz <dinis.cruz at owasp.org>wrote:
>>>>>
>>>>>> Mike, just to clarify something, you know that I am on the OWASP Board
>>>>>> right?
>>>>>>
>>>>>> We have talked several times about this topic at OWASP Board meetings
>>>>>> (and in fact I was one of the big defenders to move this forward and to try
>>>>>> to figure out how to do this (I also have been thinking about this issue for
>>>>>> a couple years now, have a good idea of how we could make this work, and
>>>>>> just like you, have spoken to Jeff about it))
>>>>>>
>>>>>> See also below a couple more comments on your answers:
>>>>>>
>>>>>>  On 13 May 2010 23:18, Mike Boberski <mike.boberski at gmail.com> wrote:
>>>>>>
>>>>>>> Hi Dinis, thanks for writing.
>>>>>>>
>>>>>>> Right now it's being administered *exactly* like the jobs page. The
>>>>>>> page is locked and requests go to Kate. It doesn't really fit the mold as an
>>>>>>> OWASP project per se, is no different than the jobs page basically.
>>>>>>>
>>>>>>
>>>>>> I beg to differ, this is a very different beast when compared with the
>>>>>> Jobs page (with massive good and bad implications)
>>>>>>
>>>>>>
>>>>>>> So, while initially described as a "project", not really.
>>>>>>>
>>>>>>
>>>>>> Well OWASP projects cover a very wide range of topics and activities
>>>>>> so although this 'initiative' is not really a tool or a document, it has the
>>>>>> same needs for: project leader, description, mailing list, etc.. (i.e. the
>>>>>> information we capture with the Project Informations tab)
>>>>>>
>>>>>>
>>>>>> So unless you disagree, I will ask Paulo to create this project and
>>>>>> put you and me as the project leaders (anybody else we should invite to the
>>>>>> leadership of this project)
>>>>>>
>>>>>>
>>>>>>>
>>>>>>> We're live, waiting for applications.
>>>>>>>
>>>>>>
>>>>>> And this is exactly my worry, I don't think this initiative is ready
>>>>>> for prime-time since we are still quite far away from having a working model
>>>>>> that works (and one that our community is confortable with)
>>>>>>
>>>>>> In fact, just the fact that we don't have any real-world data in there
>>>>>> (i.e. real cases of companies/individuals that provide these services)
>>>>>> justifies the use on these pages of BETA or *'we are still trying to
>>>>>> figure out how to do this' *tags
>>>>>>
>>>>>>
>>>>>>> I actually don't know your affiliation, but please do go ahead and
>>>>>>> submit an application.
>>>>>>>
>>>>>>
>>>>>> I'm raising my concerns and opinions as an OWASP Board member (not as
>>>>>> a company/individual wanting to be listed)
>>>>>>
>>>>>>
>>>>>>> A Booz Allen one will be forthcoming for example, but I wasn't able
>>>>>>> to start the company machinery until the registry was up. Will take a little
>>>>>>> bit of time for the Booz Allen, since have to describe an approach, rather
>>>>>>> than use a single generic already vetted description. I know a number of
>>>>>>> other companies are in the same state based on inquiries. The example is
>>>>>>> helpful I think to leave up for right now, it will be removed once a first
>>>>>>> listing in each category is ready.
>>>>>>>
>>>>>>
>>>>>> Sure, but please take into consideration that these are not the final
>>>>>> rules of engagement, and only as we try this out, will we be able to figure
>>>>>> out what works (and what is accepted by our community)
>>>>>>
>>>>>>>
>>>>>>> While I completely appreciate that it may look like it was me on my
>>>>>>> own based on the leaders mail list, there have been very lengthly
>>>>>>> conversations with Jeff and Dave, I didn't just toss it up, it was only done
>>>>>>> with Jeff's permission. This is from a certain point of view since we've not
>>>>>>> chatted on this topic (which I'm happy to do, hopefully this email is
>>>>>>> evidence), a culmination of more than two years of conversations with Jeff
>>>>>>> and Dave and others, as I'd tried to stand this up in tandem with ASVS,
>>>>>>>
>>>>>>
>>>>>> I'm aware of that and I fully appreciate the effort you have put into
>>>>>> this.
>>>>>>
>>>>>>
>>>>>>> so rest assured every detail has been carefully, *painfully*,
>>>>>>> planned out.
>>>>>>>
>>>>>>
>>>>>> Where can I see this?
>>>>>>
>>>>>> So far I have seen the original document you sent, the emails and the
>>>>>> FAQ on the main 'Commercial Services' page.
>>>>>>
>>>>>> Did I miss anything?
>>>>>>
>>>>>> There are a lot of unanswered questions (and I have already started to
>>>>>> hear muthed noises/worries about this), so we really need to build up that
>>>>>> FAQ and put as much information as possible on those WIKI Pages
>>>>>>
>>>>>>
>>>>>>> We did make tweaks after the initial RFC email as well, to take into
>>>>>>> account community input.
>>>>>>>
>>>>>>
>>>>>> yap I saw that.
>>>>>>
>>>>>> Let's make this happen :)
>>>>>>
>>>>>> Best regards
>>>>>>
>>>>>> Dinis Cruz
>>>>>>
>>>>>
>>>>>
>>>>
>>>
>>>
>>> _______________________________________________
>>> Owasp-board mailing list
>>> Owasp-board at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>
>>>
>>
>>
>> --
>> Eoin Keary
>> OWASP Global Board Member
>> OWASP Code Review Guide Lead Author
>>
>> http://asg.ie/
>> https://twitter.com/EoinKeary
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>
>>
>
>
> --
> Eoin Keary
> OWASP Global Board Member
> OWASP Code Review Guide Lead Author
>
> http://asg.ie/
> https://twitter.com/EoinKeary
>
>
>


-- 
Eoin Keary
OWASP Global Board Member
OWASP Code Review Guide Lead Author

http://asg.ie/
https://twitter.com/EoinKeary
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20100514/81bab668/attachment-0002.html>


More information about the Owasp-board mailing list