[Owasp-board] Proposal for new global OWASP mailing-list "owasp-community"

Tobias tobias.gondrom at owasp.org
Sun Feb 23 15:11:06 UTC 2014

Hi Matt,

thanks for the info. That is interesting but not what I meant. Probably
my initial naming was misleading.
I do not want a list for announcements with everyone of the our 42,000+
people in it. We have or might need this for other purposes (e.g. the
connector), but not for what I have in mind.

I like to create a list with opt-in that allows interested OWASP members
and contributors (who are not leaders) to join the discussion of
projects and ideas. (Some of which we do today on the leaders list, but
the leaders-list fails to allow non-leaders to participate in the
discussion or learn about new "project request for volunteer"
opportunities, etc.)

Jim made a great name suggestion: "owasp-community"

Maybe one technology question: do you think such a mailing-list hosted
on our servers would be able to cope with up to 2000 subscribers? (I
know from other mailman lists that manage up to 5-10,000, but am not
sure our infrastructure could hold that volume, too...)

If you think that could work, please do the following... Or we just give
it a try and see where it leads us.

*@Matt: please create a new mailing-list with the name "owasp-community"*
Description: "Discuss global OWASP community topics, to find new project
or initiative ideas that are looking for other fellow contributors and
volunteers and discuss news that are relevant and valuable for the
global OWASP community. - open to all, especially leaders, members,
contributors and interested community members."
No initial population. We will do purely opt-in.
(I'll work with our ops team on informing people through the usual
channels over the coming weeks). Hopefully people will join this
opportunity in addition to the leaders-list and we can get a global
owasp community platform exchanging ideas, joining projects across
chapters, etc. 

Thanks and all the best,


On 22/02/14 06:27, Matt Tesauro wrote:
> Catching up on emails...
> There already is a list called owasp-all on lists.owasp.org
> <http://lists.owasp.org>.  It was created previously to use a
> semi-convoluted process [1] to add every member of a list in Mailman
> on lists.owasp.org <http://lists.owasp.org> and add their address to
> that list.
> The lists original purpose was for announcement to all the people who
> had an account on lists.owasp.org <http://lists.owasp.org> - posting
> was (and is) strictly controlled for obvious reasons.  It was used by
> the OWASP Connector but the size of the population of that list was
> killing our outbound email server.  It currently has roughly 42,000+
> members.  (There are 713 lists on lists.owasp.org
> <http://lists.owasp.org> currently, BTW)
> So, if you want an way to announce things to the general OWASP
> population, Mailman may not be the best thing to do that with.
>  Perhaps Salesforce could be used with the paid membership's tracked
> in there.
> No trying to spoil the idea - just trying to lay down the IT landscape
> for this conversation.
> [1] From my IT archaeological work, I've discovered the process for
> adding people to owasp-all is as follows.  
> Note:  remove-from-all is a "shadow" list which holds people who've
> requested to be removed from owasp-all.
> Every hour at 6 min after the hour, owasp_parent_list.sh is run which
>  *
>     dumps remove-from-alllist members to a file in /tmp called no_all
>  *
>     removes all users from owasp-all with remove_members -n -N -a
>     owasp-all
>  *
>     creates a list of all the mailman members
>  *
>     get the list of remove-from-all members and takes those out of the
>     list of all members with 1+ list membership
>  *
>     takes the resultant list and re-creates owasp-all
> I've got this and a ton of other IT admin related details in Google
> docs and shared with the rest of the staff to hedge against the "hit
> by a bus" contingency.
> --
> -- Matt Tesauro
> OWASP WTE Project Lead
> http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
> http://AppSecLive.org - Community and Download site
> OWASP OpenStack Security Project Lead
> https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project
> On Fri, Feb 14, 2014 at 1:59 PM, Tobias <tobias.gondrom at owasp.org
> <mailto:tobias.gondrom at owasp.org>> wrote:
>     Hello,
>     == Proposal ==
>     (I post this first to the OWASP board list for initial feedback
>     and if the idea catches some general support, we can then either
>     just create the list and see how things go or propose a discussion
>     of this on the leaders-list.)
>     *I propose to create a new mailing-list "owasp-all". *
>     *Reasoning:* to open global OWASP discussions to the global
>     community, beyond the leaders-list.
>     Over the last months and years, I noticed that we had a number of
>     discussions on the "leaders-list" that should in fact have been
>     open to many more of our members and active contributor as well.
>     Like proposing new ideas for projects and initiatives or e.g. the
>     discussion about RSA and the OWASP security statement.
>     Note: The leaders-list will remain very important and essential
>     for all project and chapter leadership questions.
>     I just like to enable normal OWASP members and contributors to
>     exchange ideas and cooperate across chapter boundaries as well.
>     For example it would be nice if OWASP members could coordinate
>     worldwide across chapters to start projects and initiatives or
>     spontaneously join together for a new OWASP initiative. Some of
>     these discussions currently happen informally somewhere in the
>     hallway of a conference, or are done on the leaders list and then
>     sometimes communicated into the local chapters - or not. Which
>     IMHO leaves out the many OWASP members and active contributors,
>     who might be interested in joining interesting new projects or
>     starting new initiatives or voicing their opinion about what OWASP
>     should do in global questions, but who can not participate in the
>     discussion directly because they are not chapter leaders or
>     project leaders.
>     So my proposal is to create a new mailing-list:
>     *Name: "**owasp-all"*
>     (or alternative name ideas: "owasp-owasp", "owasp-world", ...)
>     *Scope: **
>     *topics in-scope of this mailing-list are new project and
>     initiative ideas that are looking for other fellow contributors
>     and volunteers and news that are relevant and valuable for the
>     global OWASP community. Explicitly out of scope is everything that
>     can be discussed in a specific project or chapter or group of
>     chapters, and topics that are already covered by the scope of any
>     other mailing-list like the governance and project lists.
>     And as this is a global mailing-list with potentially a lot of
>     subscribers, we ask members to be very cautious and conservative
>     in posting there and follow the scope definition very carefully.
>     Furthermore, please refrain from cross-posting to this
>     mailing-list. And be considerate whether you really need to reply
>     to the whole list of thousands of people if e.g. you just want to
>     sign up to a new initiative. A direct reply to the person who sent
>     the initial message can spare others a lot of email traffic.
>     *Target group: **
>     *all OWASP leaders, active contributors and those who are
>     interested in joining a project or initiative and don't know yet
>     which one, OWASP members, and anyone interested in the global
>     OWASP community.
>     *Sign-up: **
>     *The list is free for anyone to subscribe / unsubscribe.
>     At the start, I suggest that the list should be pre-filled with
>     all members of the leaders-list and all OWASP members (as per the
>     membership list) with the option to unsubscribe like from any
>     other free mailing-list.
>     Going forward I propose to add a flag at the membership renewal
>     form (i.e. when you pay your membership fee) that you want to be
>     on the global "OWASP-all" mailing-list (with the default setting
>     to be "yes").
>     And I would appreciate if we could send an email to all chapter
>     mailing-lists to inform people there about this new global OWASP
>     community mailing-list which is open to everyone.
>     Please note that I don't know whether we would need a board vote
>     for this mailing-list to be created or could just do it.
>     So I err on the side of caution and ask for feedback and possibly
>     a board vote for approval.
>     All the best,
>     Tobias
>     Tobias Gondrom
>     OWASP Global Board Member
>     OWASP CISO Survey Project Lead
>     email: tobias.gondrom at owasp.org <mailto:tobias.gondrom at owasp.org>
>     mobile: +852 56002975 <tel:%2B852%2056002975>
>     mobile: +44 7521003005 <tel:%2B44%207521003005>
>     skype: tgondrom
>     twitter: @tgondrom
>     _______________________________________________
>     Owasp-board mailing list
>     Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-board

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20140223/f2d5879e/attachment.html>

More information about the Owasp-board mailing list