[Owasp-board] Fwd: [owasp-antisamy] AntiSamy Java library: internationalcharacters / issue 121

Jim Manico jim.manico at owasp.org
Mon Apr 2 09:33:28 UTC 2012


One more note, Jason. This is being retweeted around OWASP circles today.
You may want to keep up this tradition and send out quarterly updates. I
miss Paolo, he was really on it.

" New: OWASP Project Manager – Work accomplished since August 8, 2011
http://t.co/JqKunA0Y "

--
Jim Manico
(808) 652-3805

On Apr 1, 2012, at 11:18 PM, Jason Li <jason.li at owasp.org> wrote:

Jim,

You have a habit of "saying your peace and moving on" that as if it that
somehow makes it OK.

If you think there's an issue, then let's flesh it out and address it
together. It's extremely easy to walk up to any situation and poke holes
and point out problems (the security industry as a whole is very good at
this). It's much more difficult to stay and actually try to solve those
problems. The devil is in the details and that's when you realize there are
a lot of complexities to the issues. If you want to point something out -
that's fine. And if you really truly want to walk away from things
afterwards, that's your prerogative. But yelling to everyone "ANSWER MY
QUESTION!!!!", and walking away from the conversation before someone can
answer is ludicrous. So I'll repeat my previous statement - let's have a
responsible, measured conversation about projects.

Having said that - I want to address several things right out of the bat
from a scope perspective.

I am not the leader of the AntiSamy project - I've been a contributor, just
like you have been a contributor to ESAPI, several Cheat Sheets, etc. Even
if I was though, I think you, the Board and the rest of the committee
chairs know that I am very good at compartmentalizing my responsibilities
and calling it as I see it. When I wear my OWASP hat or my GPC hat, I will
act in the interest of that hat and I've had no issues calling out
co-workers and colleagues in the past when wearing my various hats.

Wearing my AntiSamy hat, I'll simply reiterate what Arshan (project leader)
has communicated to me. The patch in question addresses a minor,
non-functionality related issue that he intends to incorporate into the
next release which, as he stated on thread, is several months out. While
the patch is greatly appreciated, like most OWASP volunteers, he does not
have the benefit of unlimited time to work on OWASP. Seeing as it's not a
critical functional issue, he has not placed an extremely high priority on
incorporating the patch.

Now, wearing my GPC hat, it's a project leader's responsibility to set the
speed and direction that they want to move at and we (as OWASP) would be
very hard pressed to impose any kind of time requirement on our volunteers.

All OWASP projects are run by volunteers. As others (including yourself)
have pointed out, we have an entire portfolio of projects that are either
stagnant or moving at a snail's pace. But that's the nature of volunteer
projects - they're inherently dependent on an extremely passionate project
leader to keep the project going. In theory, open source allows anyone to
pick up the code and keep going with it. But in reality, it doesn't
actually work that way. To date, I'm not aware of *any* OWASP code project
that has been successfully "adopted" by a new leader (i.e. created a
follow-on release from the codebase) UNLESS that new leader came from
within the existing project (e.g. JBroFuzz, ESAPI). Likewise, for
documentation projects, the only projects that I'm aware of that continued
successfully with new leaders outside the project are the OWASP Development
Guide and the OWASP Testing Guide - and those were largely due to the
extraordinarily passionate efforts of Andrew, Eoin, Matteo, et al. And even
those two projects are currently in a state of slow motion.

So the constructive conversation I would like to have - and the one the GPC
has been trying to pursue - is how do we support the passionate volunteers
that choose to continue their work, and acknowledge the fact that some
folks have made their contribution but their ability to contribute further
is limited? We have some ideas - and I had a very informative conversation
with John Wilander the other week, which has given me some more things to
consider. There's a lot of excitement right now about OWASP's acceptance as
a Google Summer of Code mentoring organization and hopefully that's a first
step to inspire some project participation. As I suggested in a different
thread to the Board, I think that can potentially be a catalyst for a
tangible means of encouraging project contributions.

But I'm positively certain that calling people out and complaining to the
Board is NOT the way to encourage more participation from our volunteers...

-Jason

 P.S. I want to clarify "flagship" status as something that we as the GPC
are still aspiring to. In general, the GPC goal is not to be in the
business of imposing on our volunteers. As a a result, we're trying to
encourage project maturity by offering increasing carrots that are driven
by community voting/feedback. A set of projects have been identified as
potential targets for preliminary flagship status, but we have not yet
established the project review platform to drive these benefits, let alone
approached *any* of those projects in consideration to ask whether or not
they would agree to being considered a flagship project.

On Tue, Mar 20, 2012 at 1:25 PM, Jim Manico <jim.manico at owasp.org> wrote:

> It took •three months• for you to respond, Jason. There is no excuse for
> that kind of treatment of the OWASP community, especially ones bearing
> patches. Especially for projects supposedly co-run by our "project
> committee chair". In my opinion its a symptom of a deeper disease.k
>
> I do not expect either you to agree with me, or even take additional
> action. I said my peace and I am now moving on.
>
>
> --
> Jim Manico
> (808) 652-3805
>
> On Mar 20, 2012, at 5:56 PM, Jason Li <jason.li at owasp.org> wrote:
>
> Jim,
>
> You're talking about issues that are slightly out of context of the
> AntiSamy project and fixated on the notion of flagship status.
>
> Projects are driven by leaders and it should not be the goal or desire of
> the GPC or the Board to be managing minutiae like change control.
> Ironically, projects is an area where I support your federalist/states
> rights perspective of OWASP - we have to be cognizant of what we're doing
> to *support* projects versus *impose* on projects.
>
> Remember that all project leaders are volunteers - just because a patch
> hasn't been accepted doesn't mean a project leader is ignoring the issue OR
> is somehow "undeserving" of the "benefit" of OWASP (which btw, the tangible
> concrete benefit that any given project *currently* gets at OWASP is
> negligible). Do we need to find a way to address user concerns? Yes. But
> trying to "force" or "escalate" a volunteer to do something is not
> constructive.
>
> I want to reply with more detail and context but I honestly don't have
> time to so that this week and I don't want you to keep fanning flames on
> this thread in the meantime. I promise to respond to this thread to
> clarify what flagship is, what the reasonable limits of OWASP are, and then
> we can have a responsible, measured conversation about projects.
>
> -Jason
>
> On Mar 20, 2012, at 11:32 AM, Jim Manico <jim.manico at owasp.org> wrote:
>
> It still took three months for him to respond. As a flagship OWASP project
> (that includes our project chair as a co-lead) I'm still very concerned
> that it took so long for a simple acknowledgement of a (very good)
> contribution/patch.
>
> Perhaps we should add one-week turnaround time for support as core
> criteria needed to maintain "flagship project status".
>
> --
> Jim Manico
> (808) 652-3805
>
> On Mar 20, 2012, at 3:08 PM, Dave Wichers <dave.wichers at owasp.org> wrote:
>
> Jim,
>
>
>
> Arshan is in communication with Sean and this is being worked.
>
>
>
> -Dave
>
>
>
> *From:* owasp-board-bounces at lists.owasp.org [mailto:
> owasp-board-bounces at lists.owasp.org] *On Behalf Of *Jim Manico
> *Sent:* Monday, March 19, 2012 6:00 PM
> *To:* OWASP Foundation Board List; ssullivan at gilt.com
> *Subject:* [Owasp-board] Fwd: [owasp-antisamy] AntiSamy Java library:
> internationalcharacters / issue 121
>
>
>
> Sean Sullivan has been •begging• to the OWASP AntiSamy project to even
> acknowledge his patch and contribution, see below. He first submitted this
> Dec 2011 and has gotten no response from Jason Li or Arshan D.
>
>
>
> Since we claim AntiSamy to be a "flagship project" I cry foul and ask the
> board to step in.
>
>
>
> --
>
> Jim Manico
>
> (808) 652-3805
>
>
>
> *From:* Sean Sullivan <ssullivan at gilt.com>
> *Date:* March 19, 2012 10:43:45 PM GMT+01:00
> *To:* Owasp-antisamy at lists.owasp.org
> *Subject:* *Re: [owasp-antisamy] AntiSamy Java library:
> internationalcharacters / issue 121*
>
>
>
> Is there anything I can do to help resolve issue #121?
>
>
>
> Sean
>
>
>
> On Tue, Mar 6, 2012 at 9:00 AM, Sean Sullivan <ssullivan at gilt.com> wrote:
>
>
>
> Hello,
>
>
>
> I just looked at Subversion trunk and noticed that my patch (issue # 121)
> is still pending:
>
>
>
>    http://code.google.com/p/owaspantisamy/source/list
>
>
>
>    http://code.google.com/p/owaspantisamy/issues/detail?id=121
>
>
>
> Is there anything I can do to help?
>
>
>
> Sean
>
>
>
> On Wed, Feb 22, 2012 at 5:17 PM, Arshan Dabirsiaghi <
> arshan.dabirsiaghi at aspectsecurity.com> wrote:
>
> Sorry for the delay; the patch looks good. It will probably be in HEAD in
> a few days after I do some testing and get it into the next minor release,
> which I hope to make in the next month or two. We just brought a new little
> AntiSamy into the world, so time has been tight.
>
>
>
> Thanks,
>
> Arshan
>
>
>
> *From:* owasp-antisamy-bounces at lists.owasp.org [mailto:
> owasp-antisamy-bounces at lists.owasp.org] *On Behalf Of *Sean Sullivan
> *Sent:* Wednesday, February 22, 2012 2:29 PM
> *To:* Owasp-antisamy at lists.owasp.org
> *Subject:* Re: [owasp-antisamy] AntiSamy Java library:
> internationalcharacters / issue 121
>
>
>
> Hello,
>
>
>
> Is there anything I can do to help get this patch accepted?
>
>
>
> Sean
>
>
>
> On Fri, Feb 17, 2012 at 4:21 PM, Sean Sullivan <ssullivan at gilt.com> wrote:
>
>
>
> In December 2011, I submitted a patch for AntiSamy's Java library:
>
>
>
> http://code.google.com/p/owaspantisamy/issues/detail?id=121
>
>
>
>
>
> The issue's status has not changed since I submitted it.  Is there
> anything I can do to help get this patch accepted?
>
>
>
> Sean
>
>
>
>
>
>
>
>
>
> _______________________________________________
> Owasp-antisamy mailing list
> Owasp-antisamy at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-antisamy
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20120402/accf1500/attachment-0001.html>


More information about the Owasp-board mailing list