[Owasp-board] Sponsor a Project?

Jason Li jason.li at owasp.org
Tue Aug 20 03:34:30 UTC 2013


The Apache model is good to look at - the GPC borrowed many concepts from
Apache when we were ironing out the project lifecycle. But we
discovered there are several challenges that we need to overcome before we
can truly consider such a model.

I don't know if you realize this fact, but projects have to grant/license
to Apache before it is considered into the incubator. That step is one of
the reasons they can afford to dictate policy on their projects.

So I feel as though you're putting the cart before the horse...

Currently, we are not in a position to effect wide scale policy change
because we don't have any ownership stake in projects. Documentation
projects on the OWASP Wiki are ostensibly covered implicitly by the
contributor agreement users agree to when they sign up for a wiki account.
However, most projects don't exist entirely on the wiki but in outside
repositories. The only project I know of that has gone through some grant
process is the Secure Coding Practices Quick Reference Guide. That project
was formally and legally granted in its entirety to OWASP by the Boeing

Keith Turpin (GPC) and Sam were collaborating on standardizing this grant
process before the dissolution of the global committees so that OWASP could
exert some direction on projects. But until that is in place and we have a
critical mass of projects on board, I think a lot of theses project
sponsorship issues will remain murky. Without some "ownership" stake in a
project, we can't really "push" any policy change on projects other than to
say "stop using the OWASP name" and try and create our own fork the
project. That is not only difficult to do, but not entirely desirable and
perhaps not even feasible depending on the license...

Without some kind of grant framework in place, we're a patchwork collection
of projects joined only in name...

I know project sponsorship issues are important to you but I think it will
help to first solve some of these foundational issues so that bigger
strategic issues can be approached.

My humble opinion,


On Monday, August 19, 2013, Jim Manico wrote:

> Here is how Apache (ASF) handles project sponsorships. Interesting.
> Contact info below of the ASF fundraising POC included.
> --
> Jim Manico
> @Manicode
> (808) 652-3805
> Begin forwarded message:
> *From:* Daniel Shahaf <danielsh at apache.org>
> *Date:* August 19, 2013, 10:12:00 PM GMT+02:00
> *To:* Jim Manico <jim at manico.net>
> *Cc:* fundraising at apache.org
> *Subject:* *Re: Sponsor a Project*
> Jim Manico wrote on Mon, Aug 19, 2013 at 17:05:04 +0200:
> Can I just sponsor a specific project in some way? How would that
> acknowledgement work?
> Yes and no.
> By default, the ASF does not accept targeted/earmarked donations.
> However, you might be able to support a specific project in other ways
> --- for example, by sponsoring individual developers to work on it, or
> by sponsoring a get-together of the developers, and so on.  In this
> case, you can expect your sponsorship of the event to be acknowledged
> in, for example, dev@ lists posts announcing it.
> Is there a particular project you're interested in supporting?
> Let us know if you have any more questions.
> Thanksf
> Daniel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20130819/1709e5c9/attachment.html>

More information about the Owasp-board mailing list