[Owasp-board] A New Projects Model

Michael Coates michael.coates at owasp.org
Mon Apr 14 15:31:30 UTC 2014

Good interim suggestion - until we fix the flagship and projects issue
overall why not consider rotating the projects listed in the homepage.

For now we just say Featured Projects on the homepage (so we don't have to
boil the ocean).

I say we just let the community decide. A call for projects, a community
vote, and we list the top 5 Featured Projects on the home page for the next
60 days. I have faith our community will pick projects that we're all happy
to promote.
On Apr 13, 2014 7:06 PM, "Kevin W. Wall" <kevin.w.wall at gmail.com> wrote:

> [Apologies in advance for being anal and trimming all but the last
> post, but all this top-posting drives me crazy. I grew up old
> school /bin/mail and mailx and personally find top posting an
> anathema most of which I blame on Outlook.]
> On Sun, Apr 13, 2014 at 6:50 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
> > Maybe ESAPI was a bad example as its not additional features that it
> lacks,
> > but rather code quality in general.  Based on what you said, ESAPI would
> > probably be in the Everything Else bucket.  Not ready for Production
> means
> > not ready for #2.  That doesn't mean that others can't work on it and
> get it
> > there, but we wouldn't put Foundation resources into it until its ready.
> > Maybe another tier for foundational projects that we recognize long term
> > value in but that aren't ready for the big show yet?
> Speaking as one of the ESAPI project leaders, the problem that I
> see it is that we have lots of competing projects (I think Josh said
> 177) and all of them are vying for limited resources where
> "resources" are funding, volunteers, and developer attention.
> When a relatively inactive project like ESAPI is the one that
> garners the headline position (in the OWASP Welcome banner)
> and gets a dedicated hackathon to the exclusion of other
> deserving projects, then that becomes a problem.
> So the problem is fairness and equity. I think the preferred way
> to settle this is to define some objective criteria that each project
> has to meet in order to fit into whatever rating system that you
> want to propose. We have to do that ahead of time, transparently,
> with community involvement, and without perceived bias in
> favoring certain projects (especially those of of the status quo).
> I think that effort should be lead by the OWASP Board, but
> eventually it needs consensus from the OWASP project leaders
> and eventually from the OWASP community at large.
> As far as if you want to try and experiment you have my
> permission to oust one of the ESAPI project leaders, as long
> as it's can me. :)  As long as I can focus on working on the
> crypto, you can call me anything you like.  But with ESAPI
> and most of the other projects I don't think the issue is necessarily
> with the leader per se, but with finding and retaining volunteers.
> You cannot expect 1 or 2 people to single-handedly carry a
> project for years on end by themselves. They *will* get burned
> out. If ESAPI really is being used by 5000 or so companies
> as was claimed (and I am *NOT* disputing those figures), then
> way is it just so damned hard to get people to commit to helping
> out on it? (Other than the plausible explanation that I am just a
> PITA to work with, which obviously I can't judge, but if that's the
> case, someone else *please* take over and I'll gladly step aside.
> Would be nice if someone would kindly tell the clueless dude
> though.)
> What I don't like to see is there are other worthy projects
> that are not getting any of the fanfare that ESAPI does even
> those projects are more active (in terms of commits and releases)
> and have at least as good as quality as ESAPI. That's not fair
> to the others. Instead, so you Josh's own words we've been
> "pimping the shit" out of ESAPI. I think it's time to step back
> and ask ourselves where has that really gotten us?
> For now, until we think of something better at least, rather than
> "pimping the shit" out of any given project, why don't we take
> some of the inactive flagship projects and rotate them (say once
> a month, or random or round-robin, etc.) to make space for pimping
> some other well deserved projects. I think that's the least we can do.
> -kevin
> --
> Blog: http://off-the-wall-security.blogspot.com/
> NSA: All your crypto bit are belong to us.
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20140414/eaa81d5a/attachment.html>

More information about the Owasp-board mailing list