[Owasp-board] (removing myself from the process) Re: Core Purpose Submissions

Seba seba at owasp.org
Fri Jan 21 12:56:15 UTC 2011


That's not really fair: you are criticizing the values we have reached thus
far and removing yourself from the process to discuss them?


On Fri, Jan 21, 2011 at 11:38 AM, dinis cruz <dinis.cruz at owasp.org> wrote:

> Hi Richard (and the rest of the board)
> As you probably noticed* I have not been involved in this process* for the
> past weeks/month. Although I am hyper busy with the planning of the OWASP
> Summit and my work commitments,* the main reason is that I don't agree
> with the current direction *(that this exercise is taking)* and that the
> final outcome is going to be much smaller/valuable than it could be*.
> Sorry I just can't commit energy and ideas to a process I don't believe in,
> and one were the other side is not listening. Yes I know I could had been
> much more vocal, but I did raise a number of concerns and did spend almost
> 1h on the phone with Richard last December.
> *For me the core problem is that Richard doesn't understand Open Source* *and
> *(more specifically/importantly) *Open Source Communities*. I did try to
> explain this to Richard (and other board members I spoke to) that *unless
> we separated from the 'values discussion' the core values that are intrinsic
> to ANY (decent) Open Source Community (like OWASP), we would end up with a
> subset of values from those Communities, AND even worse, no values about
> what make OWASP OWASP.*
> Just look at http://www.owasp.org/index.php/Core_Values_and_Definitions and
> tell me if you honestly believe that those 4 items are anywhere close from
> representing the number of values that everyday are at play inside our
> community (aren't some of the ones that we removed from there as
> important?). Also, I would like to understand how any Open Source community
> can BE an open source community if it is not GLOBAL (since being GLOBAL is
> part of the open source 'definition')
> *I guess what push me over the edge was when I realized that Richard
> didn't even understand that an Open Source license, means that the Source
> code is* (amongst other things) *freely available* (Yes, Richard, I know
> it is a very alien concept for a lot of other industries, but in the Open
> Source world, we freely distribute and open our most
> valuable intellectual property asset: The Source Code).
> The other problem is that I was hoping that our values could be used to
> deal swiftly with ideas from certain parts of our Community that would be
> against our current 'undocumented' culture/values. For example, the NDA
> requirement/idea from the Industry Committee (via Yiannis). My hope was that
> once such question would arise, it could be stopped almost immediately by
> pointing to our values. This didn't happen, in fact the NDA question CAME
> from the thread talking about OWASP's values!
> *In fact, have we even asked the question: "Why we need these values?".*
> *
> *
> *What are the use cases (or questions that need answers) where the 'values
> definition' (and all the other bits) are needed? *
> Shouldn't we have created by now a list of questions whose answer would
> come by making reference to the 'owasp values'? (my recommendation for the
> ones that will complete this exercise with Richard is that you do such a
> thing, For example looking at
> http://www.owasp.org/index.php/Core_Values_and_Definitions I can use those
> Values to make the case/argument that the OWASP Industry Committee should be
> allowed to sign NDAs so it can have 'more in-depth' conversations with other
> organizations (lets ignore for now how impossible that would be to actually
> implement in practice).
> Other questions that should be quickly dealt by values our should be:
>    - OWASP & Certification
>    - use/abuse of OWASP Brand
>    - employment strategies for OWASP
>    - how OWASP invests its funds
>    - how OWASP assigns/removes its leaders
>    - how OWASP deals with conflict
>    - how OWASP manages its projects
>    - how OWASP deals with the WebAppSec industry vendors
>    - how OWASP deals with government body
>    - should OWASP provide 'labels' for applications
>    - what is the role of the OWASP Board
>    - who is the guardian of OWASP's values
>    - what is the role of OWASP's community
>    - how important to OWASP are events like the Summit
>    - etc.....
> For me a good 'Values' definition would provide very strong directions on
> each one of those questions (and 'directions' which would currently match
> our community understanding of our 'undocumented' OWASP's values)
> *Just to be clear*, and so that I don't have to find excuses NOT to make
> these calls (although for the past two weeks I DID had a client call booked
> during that time), *I am removing myself from this process.*
> I'm sure you guys will be able to finish it just fine, and in the end will
> create an interesting document which will be a good starting point for
> debate for our community.
> And, if you fell you will have something ready by the Summit, then lets add
> a Working Session for it
> Good luck
> Dinis Cruz
> On 18 January 2011 17:24, Richard Tesauro <tesauros at mac.com> wrote:
>> The Core Purpose submissions from Tom, Matt, Seba, Eoin and Jeff offer a
>> productive discussion and Board call this Friday. The submissions will be
>> post on the TMC wiki page shortly. A call agenda will be emailed later by
>> Kate.
>>  Enjoy your day,
>> Richard A. (Dick) Tesauro
>> President and Founder
>> *Tesauro Management Counselors (TMC)*
>> *Trusted Advisor and Catalyst*
>> *
>> Helping Leaders Create Enduring, Growing, "Great" Organizations
>> *
>> 3124 Trevolle Place
>> Dallas, Texas 75204-5537
>> 214-823-6028 (Phone)
>> 214-924-1154 (Cell)
>> RA at TesauroMC.com
>> www.TesauroMC.com <http://www.tesauromc.com/>
>>   *
>> The information contained in this transmission may be privileged and
>> confidential and is intended only for the use of the person(s) named above.
>> If you are not the intended recipient, or an employee or agent responsible
>> for delivering this message to the intended recipient, any review,
>> dissemination, distribution or duplication of this communication is strictly
>> prohibited.*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20110121/31bea209/attachment-0002.html>

More information about the Owasp-board mailing list