[Owasp-board] (removing myself from the process) Re: Core Purpose Submissions

dinis cruz dinis.cruz at owasp.org
Fri Jan 21 14:06:59 UTC 2011

I am saying I don't have the time to spend on this activity (i.e. enough
time in order to be able to do the contribution that I fell I could do),
and, that I'm not agreeing with the current methodology.

Also,  I'm only 1 out of 7 board members, so the other 6 are enough to
complete the task and vote YES on its conclusions (note that I am not saying
I will vote NO (I will wait and see the final document).

I just don't want to participate any more on its creation.

I tried hard to make this work, but couldn't. I think it is better to step
down from participating in this engagement sooner rather than later.

Dinis Cruz

On 21 January 2011 13:46, Thomas Brennan <tomb at owasp.org> wrote:

> Your a member of the board.  We agreed as a team to approve this and to
> work on this effort.  Are you stepping down from that team then and simply
> focused on being a individual?
> On Jan 21, 2011, at 8:41 AM, dinis cruz wrote:
> never and it should never be that, but If I'm not contributing or adding
> value I should not be involved
> Dinis Cruz
> On 21 January 2011 13:23, Thomas Brennan <tomb at owasp.org> wrote:
>> Dinis, when did we start calling OWASP "ODinis"
>> On Jan 21, 2011, at 7:56 AM, Seba wrote:
>> Dinis,
>> That's not really fair: you are criticizing the values we have reached
>> thus far and removing yourself from the process to discuss them?
>> --Seba
>> On Fri, Jan 21, 2011 at 11:38 AM, dinis cruz <dinis.cruz at owasp.org>wrote:
>>> Hi Richard (and the rest of the board)
>>> As you probably noticed* I have not been involved in this process* for
>>> the past weeks/month. Although I am hyper busy with the planning of the
>>> OWASP Summit and my work commitments,* the main reason is that I don't
>>> agree with the current direction *(that this exercise is taking)* and
>>> that the final outcome is going to be much smaller/valuable than it could be
>>> *.
>>> Sorry I just can't commit energy and ideas to a process I don't believe
>>> in, and one were the other side is not listening. Yes I know I could had
>>> been much more vocal, but I did raise a number of concerns and did spend
>>> almost 1h on the phone with Richard last December.
>>> *For me the core problem is that Richard doesn't understand Open Source*
>>> *and *(more specifically/importantly) *Open Source Communities*. I did
>>> try to explain this to Richard (and other board members I spoke to) that
>>> *unless we separated from the 'values discussion' the core values that
>>> are intrinsic to ANY (decent) Open Source Community (like OWASP), we would
>>> end up with a subset of values from those Communities, AND even worse, no
>>> values about what make OWASP OWASP.*
>>> Just look at http://www.owasp.org/index.php/Core_Values_and_Definitions and
>>> tell me if you honestly believe that those 4 items are anywhere close from
>>> representing the number of values that everyday are at play inside our
>>> community (aren't some of the ones that we removed from there as
>>> important?). Also, I would like to understand how any Open Source community
>>> can BE an open source community if it is not GLOBAL (since being GLOBAL is
>>> part of the open source 'definition')
>>> *I guess what push me over the edge was when I realized that Richard
>>> didn't even understand that an Open Source license, means that the Source
>>> code is* (amongst other things) *freely available* (Yes, Richard, I know
>>> it is a very alien concept for a lot of other industries, but in the Open
>>> Source world, we freely distribute and open our most
>>> valuable intellectual property asset: The Source Code).
>>> The other problem is that I was hoping that our values could be used to
>>> deal swiftly with ideas from certain parts of our Community that would be
>>> against our current 'undocumented' culture/values. For example, the NDA
>>> requirement/idea from the Industry Committee (via Yiannis). My hope was that
>>> once such question would arise, it could be stopped almost immediately by
>>> pointing to our values. This didn't happen, in fact the NDA question CAME
>>> from the thread talking about OWASP's values!
>>> *In fact, have we even asked the question: "Why we need these values?".*
>>> *
>>> *
>>> *What are the use cases (or questions that need answers) where the
>>> 'values definition' (and all the other bits) are needed? *
>>> Shouldn't we have created by now a list of questions whose answer would
>>> come by making reference to the 'owasp values'? (my recommendation for the
>>> ones that will complete this exercise with Richard is that you do such a
>>> thing, For example looking at
>>> http://www.owasp.org/index.php/Core_Values_and_Definitions I can use
>>> those Values to make the case/argument that the OWASP Industry Committee
>>> should be allowed to sign NDAs so it can have 'more in-depth' conversations
>>> with other organizations (lets ignore for now how impossible that would be
>>> to actually implement in practice).
>>> Other questions that should be quickly dealt by values our should be:
>>>    - OWASP & Certification
>>>    - use/abuse of OWASP Brand
>>>    - employment strategies for OWASP
>>>    - how OWASP invests its funds
>>>    - how OWASP assigns/removes its leaders
>>>    - how OWASP deals with conflict
>>>    - how OWASP manages its projects
>>>    - how OWASP deals with the WebAppSec industry vendors
>>>    - how OWASP deals with government body
>>>    - should OWASP provide 'labels' for applications
>>>    - what is the role of the OWASP Board
>>>    - who is the guardian of OWASP's values
>>>    - what is the role of OWASP's community
>>>    - how important to OWASP are events like the Summit
>>>    - etc.....
>>> For me a good 'Values' definition would provide very strong directions on
>>> each one of those questions (and 'directions' which would currently match
>>> our community understanding of our 'undocumented' OWASP's values)
>>> *Just to be clear*, and so that I don't have to find excuses NOT to make
>>> these calls (although for the past two weeks I DID had a client call booked
>>> during that time), *I am removing myself from this process.*
>>> I'm sure you guys will be able to finish it just fine, and in the end
>>> will create an interesting document which will be a good starting point for
>>> debate for our community.
>>> And, if you fell you will have something ready by the Summit, then lets
>>> add a Working Session for it
>>> Good luck
>>> Dinis Cruz
>>> On 18 January 2011 17:24, Richard Tesauro <tesauros at mac.com> wrote:
>>>> The Core Purpose submissions from Tom, Matt, Seba, Eoin and Jeff offer a
>>>> productive discussion and Board call this Friday. The submissions will be
>>>> post on the TMC wiki page shortly. A call agenda will be emailed later by
>>>> Kate.
>>>>  Enjoy your day,
>>>> Richard A. (Dick) Tesauro
>>>> President and Founder
>>>> *Tesauro Management Counselors (TMC)*
>>>> *Trusted Advisor and Catalyst*
>>>> *
>>>> Helping Leaders Create Enduring, Growing, "Great" Organizations
>>>> *
>>>> 3124 Trevolle Place
>>>> Dallas, Texas 75204-5537
>>>> 214-823-6028 (Phone)
>>>> 214-924-1154 (Cell)
>>>> RA at TesauroMC.com
>>>> www.TesauroMC.com <http://www.tesauromc.com/>
>>>>   *
>>>> The information contained in this transmission may be privileged and
>>>> confidential and is intended only for the use of the person(s) named above.
>>>> If you are not the intended recipient, or an employee or agent responsible
>>>> for delivering this message to the intended recipient, any review,
>>>> dissemination, distribution or duplication of this communication is strictly
>>>> prohibited.*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20110121/299743f4/attachment-0002.html>

More information about the Owasp-board mailing list