[Owasp-board] Sponsor a Project?

Jim Manico jim.manico at owasp.org
Sat Aug 24 12:39:34 UTC 2013

I think it's an interesting idea that merits discussion. For sure.

Jim Manico
(808) 652-3805

On Aug 24, 2013, at 2:28 PM, Tom Brennan - OWASP <tomb at owasp.org> wrote:

Is there a suggestion of moving from optional assignment of copyright to


This is a very core discussion and important for the foundation

On Aug 24, 2013, at 5:14 AM, Jim Manico <jim.manico at owasp.org> wrote:

I would say that OWASP should not allow any projects that can be "taken
back" in some way. That's not really open source. I believe our license
•guidelines• steer folks in this direction.


Jim Manico
(808) 652-3805

On Aug 24, 2013, at 9:55 AM, Jason Li <jason.li at owasp.org> wrote:


I think that's a fair statement - if we're not worried about defection and
are willing to simply drop projects, then I agree that any policy can be

My assumption was that we would be concerned about major projects defecting
and our mitigating control for that situation was that OWASP could fork any
such project. The caveat I'm making to that mitigation is that we should
not assume that OWASP can fork any project that defects (see my response to
Jim's comment about our projects being open source). Moreover, even if we
could fork it, our track record on picking up abandoned projects is not
very good.


On Wednesday, August 21, 2013, Michael Coates wrote:

> Jason,
> I've been following along and had a few questions on your first email. You
> indicated that OWASP can't enforce any sort of policy without ownership of
> the project through a contributor agreement and our only recourse would be
> to remove "OWASP" from the project name (and remove instances from the
> wiki).
> In my opinion this is actually a very strong amount of control and
> provides us the ability to set policy for our projects. If functioning as
> intended, the OWASP platform provides projects many values. We are a
> resource to rally other contributors, we provide visibility to new projects
> to attract users and developers, and we also provide our projects with
> special placement at OWASP conferences and workshops. I feel that we are in
> a good position to set a series of rules that a project must adhere to if
> it wishes to be an OWASP project. If the project wants to do differently,
> that's fine, but it wouldn't be an OWASP project.
> To one of your other points, this does mean a project owner could take
> their project elsewhere. This is where we differ from apache. This is a
> risk and would be solved by the contributor agreement and ownership
> element. However, we don't need to solve the problem of projects defecting
> to still address the rules and requirements to be an OWASP project.
> Thoughts? Interested in your opinion on this delineation of the issue.
> --
> Michael Coates | OWASP | @_mwc
> On Tue, Aug 20, 2013 at 11:37 PM, Jason Li <jason.li at owasp.org> wrote:
>> Jim,
>> I'm not sure how you can disagree with what I'm saying because I'm not
>> stating an opinion, I'm merely pointing out fact.
>> OWASP doesn't have IP ownership of a large portion of projects because
>> that's not something that has ever been dealt with at an organizational
>> level. To my knowledge, none of the countless folks that have contributed
>> to various code projects that are hosted off the wiki had to sign any kind
>> of contributor agreement or anything like that when they started
>> associating with a project.
>> That is in stark contrast to the Apache Foundation where they DO require
>> contributors to sign license agreements and for projects to be granted to
>> the Apache Foundation under specific conditions. Those practices give Apache
>> the ability to manage and protect projects in the ways you are seeking.
>> I never said that we can't have that same kind of frameworm as well - in
>> fact as I pointed out, the GPC was trying to move in that direction to get
>> the project house in order.
>>  But I'm trying to tell you that you're pushing the Apache model of
>> sponsorship and neutralty without the supporting contributor framework that
>> Apache has... it's like trying to fly without wings - it may be possible
>> but it's a lot harder and you run the risk of falling on your face.
>> You talk about changing the Wild West attitude and my point is that the
>> most unstructured, most Wild West attribute of our projects right now is a
>> lack of "ownership" which prevents OWASP as an organization from truly
>> putting the structure you desire around projects.
>> -Jason
>> On Tuesday, August 20, 2013, Jim Manico wrote:
>> Thank you for your humble opinion.
>> I humbly disagree with almost everything you said because it allows
>> single vendors to exert great control in an inconsistent way like we have
>> seen from your employer on a number of occasions. But no blame to them, the
>> past project team and board never set clear rules of play. But there is a
>> price to pay for this. The current wild wild west attitude regarding
>> project sponsorship violates the heart of vendor neutrality which I wish to
>> fix.
>> In the upcoming days the board will release a series of different options
>> for future project sponsorship that we want the community to vote on (or
>> expand upon). Changing the current project sponsorship mechanism would be a
>> critical change and the board should not make this decision alone.
>> The goal is a neutral, fair and consistent playing field in terms of
>> project sponsorship. What we have now is the wild west and that needs to
>> change.
>> --
>> Jim Manico
>> @Manicode
>> (808) 652-3805
>> On Aug 20, 2013, at 5:34 AM, Jason Li <jason.li at owasp.org> wrote:
>> Jim,
>> The Apache model is good to look at - the GPC borrowed many concepts from
>> Apache when we were ironing out the project lifecycle. But we
>> discovered there are several challenges that we need to overcome before we
>> can truly consider such a model.
>> I don't know if you realize this fact, but projects have to grant/license
>> to Apache before it is considered into the incubator. That step is one
>> of the reasons they can afford to dictate policy on their projects.
>> So I feel as though you're putting the cart before the horse...
>> Currently, we are not in a position to effect wide scale policy change
>> because we don't have any ownership stake in projects. Documentation
>> projects on the OWASP Wiki are ostensibly covered implicitly by the
>> contributor agreement users agree to when they sign up for a wiki account.
>> However, most projects don't exist entirely on the wiki but in outside
>> repositories. The only project I know of that has gone through some grant
>> process is the Secure Coding Practices Quick Reference Guide. That project
>> was formally and legally granted in its entirety to OWASP by the Boeing
>> Company.
>> Keith Turpin (GPC) and Sam were collaborating on standardizing this grant
>> process before the dissolution of the global committees so that OWASP could
>> exert some direction on projects. But until that is in place and we have a
>> critical mass of projects on board, I think a lot of theses project
>> sponsorship issues will remain murky. Without some "ownership" stake in a
>> project, we can't really "push" any policy change on projects other than to
>> say "stop using the OWASP na
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
>   _______________________________________________
Owasp-board mailing list
Owasp-board at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20130824/6d029fca/attachment-0001.html>

More information about the Owasp-board mailing list