[Owasp-board] A New Projects Model

Kevin W. Wall kevin.w.wall at gmail.com
Mon Apr 14 02:05:53 UTC 2014

[Apologies in advance for being anal and trimming all but the last
post, but all this top-posting drives me crazy. I grew up old
school /bin/mail and mailx and personally find top posting an
anathema most of which I blame on Outlook.]

On Sun, Apr 13, 2014 at 6:50 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
> Maybe ESAPI was a bad example as its not additional features that it lacks,
> but rather code quality in general.  Based on what you said, ESAPI would
> probably be in the Everything Else bucket.  Not ready for Production means
> not ready for #2.  That doesn't mean that others can't work on it and get it
> there, but we wouldn't put Foundation resources into it until its ready.
> Maybe another tier for foundational projects that we recognize long term
> value in but that aren't ready for the big show yet?

Speaking as one of the ESAPI project leaders, the problem that I
see it is that we have lots of competing projects (I think Josh said
177) and all of them are vying for limited resources where
"resources" are funding, volunteers, and developer attention.

When a relatively inactive project like ESAPI is the one that
garners the headline position (in the OWASP Welcome banner)
and gets a dedicated hackathon to the exclusion of other
deserving projects, then that becomes a problem.

So the problem is fairness and equity. I think the preferred way
to settle this is to define some objective criteria that each project
has to meet in order to fit into whatever rating system that you
want to propose. We have to do that ahead of time, transparently,
with community involvement, and without perceived bias in
favoring certain projects (especially those of of the status quo).
I think that effort should be lead by the OWASP Board, but
eventually it needs consensus from the OWASP project leaders
and eventually from the OWASP community at large.

As far as if you want to try and experiment you have my
permission to oust one of the ESAPI project leaders, as long
as it's can me. :)  As long as I can focus on working on the
crypto, you can call me anything you like.  But with ESAPI
and most of the other projects I don't think the issue is necessarily
with the leader per se, but with finding and retaining volunteers.
You cannot expect 1 or 2 people to single-handedly carry a
project for years on end by themselves. They *will* get burned
out. If ESAPI really is being used by 5000 or so companies
as was claimed (and I am *NOT* disputing those figures), then
way is it just so damned hard to get people to commit to helping
out on it? (Other than the plausible explanation that I am just a
PITA to work with, which obviously I can't judge, but if that's the
case, someone else *please* take over and I'll gladly step aside.
Would be nice if someone would kindly tell the clueless dude

What I don't like to see is there are other worthy projects
that are not getting any of the fanfare that ESAPI does even
those projects are more active (in terms of commits and releases)
and have at least as good as quality as ESAPI. That's not fair
to the others. Instead, so you Josh's own words we've been
"pimping the shit" out of ESAPI. I think it's time to step back
and ask ourselves where has that really gotten us?

For now, until we think of something better at least, rather than
"pimping the shit" out of any given project, why don't we take
some of the inactive flagship projects and rotate them (say once
a month, or random or round-robin, etc.) to make space for pimping
some other well deserved projects. I think that's the least we can do.

Blog: http://off-the-wall-security.blogspot.com/
NSA: All your crypto bit are belong to us.

More information about the Owasp-board mailing list