[Owasp-board] OWASP Summer Code Sprint Proposal

Abraham Aranguren abraham.aranguren at owasp.org
Tue Apr 7 23:14:23 UTC 2015


+1 Let's try to open another thread that focuses on implementing a system
that will work.

Ok a few departing notes here from my point of view:
- *The ONLY slot granting program that makes sense is what Fabio proposed*:
   + We need a slot granting system that takes project leaders suggestions
(and their project-specific, candidate, skill, etc. knowledge) as part of
the equation
   + An unbiased committee is necessary to ensure oversight and fairness
among OWASP projects, but this committee CANNOT choose the people or the
slots without taking into account how many students each project wants in
the first place (i.e. approach last year was "tell me your must haves, nice
to haves, do not want and we'll see what we can do"). The project leader
preferences MUST be taken into account.
- Kostas had to take A LOT of decisions (many of them rushed, and most of
these not his fault) last year and most of them were imho OK, overall he
did a great job and *when somebody puts all that work in without being paid
I say: THANK YOU MAN!*

In the spirit of separation of duties I think we are all largely in
agreement and we have a lot of experience that can be applied from previous
GSoC years.
So, please let's focus on building a program that WILL work! :)

Thanks all!

Abe

http://owtf.org

P.S. @Jim: We are in a rush because GSoC has started, students are looking
for this *in the summer *and we need this thing ready ASAP. We have a lot
of smart people in this list, let's make it work! ;)

On Tue, Apr 7, 2015 at 11:03 PM, Jim Manico <jim.manico at owasp.org> wrote:

>  +1 Thank you Paul.
>
> - Jim
>
>
> On 4/7/15 3:52 PM, Paul Ritchie wrote:
>
> Team:
>
>  This thread is now over 70 comments long and its moved from strong
> passion to get a project up & running......to strong passion about each
> other's opinions on how to implement.  Strong opinions are a good thing
> when focused on the issue, rather than the person....especially in a
> volunteer community.
>
>  And now....I'd like to see a new thread started with the project
> criteria based on everyone's input, some schedule milestones & key tasks,
> with a BLANK under the name for 'responsible party'.   Once "the plan"
> looks good, we can add people's names to handle each area....with the goal
> of technical competency balanced with transparency and fairness.  I think
> that is a 'winning' project plan that will get approved for the funding
> request.
>
>  I am happy to commit some of our staff resource to the project since it
> directly aligns with OWASP 2015 Strategic Goals in areas of Training and
> Developer engagement.
>
>  Add my name to the list of people on the 'planning team' or task force
> to help define & finalize the project criteria.
> Project Coordinator resumes are being evaluated now by a small team from
> the community and we hope to have someone hired by end of month.
>
>  I trust that this will help us move forward.
> Cheers Paul
>
>   Best Regards, Paul Ritchie
> OWASP Interim Executive Director
> paul.ritchie at owasp.org
>
>
> On Tue, Apr 7, 2015 at 1:11 PM, Konstantinos Papapanagiotou <
> Konstantinos at owasp.org> wrote:
>
>>  All,
>>
>>  I'd like to help but before that I'd like to be 100% certain that there
>> is no CoI if hackademic participates in the same sense it participated in
>> last year's GSOC.
>>
>>  Kostas
>>
>> On Tue, Apr 7, 2015 at 7:31 PM, psiinon <psiinon at gmail.com> wrote:
>>
>>>  If it come to a vote then I'd be very happy to back Kostas.
>>>  I think he did an excellent job with GSoC.
>>>
>>>  Simon
>>>
>>> On Tue, Apr 7, 2015 at 5:26 PM, Fabio Cerullo <fcerullo at owasp.org>
>>> wrote:
>>>
>>>> Johanna
>>>>
>>>>  Anybody is welcome to participate and don’t like to establish rules
>>>> about ‘who’ should be participating as the ones you are suggesting.
>>>>
>>>>  As mentioned earlier, I trust Kostas to do a great job and you are
>>>> also welcome to participate in the org team / project mentor teams.
>>>>
>>>>  Having said that, I will progress with the project proposal working
>>>> with him which to my view is transparent and open to everyone.
>>>>
>>>>  If someone from the Global Board disagrees, please let me know.
>>>> Otherwise I will seek budget approval for this to move ahead.
>>>>
>>>>  Thanks,
>>>>
>>>>  Fabio Cerullo
>>>> Global Board Member
>>>> OWASP Foundation
>>>> https://www.owasp.org
>>>>
>>>>    On 7 Apr 2015, at 16:01, johanna curiel curiel <
>>>> johanna.curiel at owasp.org> wrote:
>>>>
>>>>  I would definitely support Kostas as overall program admin in case he
>>>> is interested. Do you agree?
>>>>
>>>>  I think this should be submitted to a vote, especially depending if
>>>> Kostas wants to mentor a project or if hackademics is also participating
>>>>
>>>> On Tue, Apr 7, 2015 at 10:56 AM, Fabio Cerullo <fcerullo at owasp.org>
>>>> wrote:
>>>>
>>>>> I think the 2 mentors per student slot makes sense. In case one of the
>>>>> mentors get sick, etc.
>>>>>
>>>>>  Based on the feedback received and the iterations so far, it seems
>>>>> we have a strong proposal to put up for voting.
>>>>>
>>>>>  I would definitely support Kostas as overall program admin in case
>>>>> he is interested. Do you agree?
>>>>>
>>>>>  Thanks,
>>>>>
>>>>>  Fabio Cerullo
>>>>> Global Board Member
>>>>> OWASP Foundation
>>>>> https://www.owasp.org
>>>>>
>>>>>    On 7 Apr 2015, at 15:46, johanna curiel curiel <
>>>>> johanna.curiel at owasp.org> wrote:
>>>>>
>>>>>  What do you think? I don’t have time to setup the wiki, etc at
>>>>> present but would welcome your help.
>>>>>
>>>>>  I think the rules based on stages seems quite fair to me, however,
>>>>> that is my opinion ;-), another important criteria should be how many
>>>>> mentors are available per project to provide guidance. I think 1 project
>>>>> leader per student should be the minimum (Google uses 2 mentors per
>>>>> project/proposal)
>>>>>
>>>>>  Also it should be clear , in case a mentor is not able to followup
>>>>> or continue with mentoring what should be done and who should follow up
>>>>> this (the org team), therefore , when volunteers want to be part of the
>>>>> program(whether org team/mentor) they must know their responsibilities,
>>>>> after all , we don't want to waste money well intended.
>>>>>
>>>>>  Fabio, if you have no time to set the wiki, someone must take the
>>>>> lead to do this, based on what you have proposed, it seems to me that the
>>>>> person responsible or in-charge of the program should do this. Is it clear
>>>>> who is this person? (will it be Kostas? other ones?)
>>>>>
>>>>>  When i take an initiative, I have always followed these steps
>>>>> (wiki-proposal, publish info, get reactions/adapt) so it is as much
>>>>> transparent as I can do. It is a lot of work but this is part of
>>>>> our responsibilities when managing these kind of initiatives.
>>>>>
>>>>>  regards
>>>>>
>>>>>  Johanna
>>>>>
>>>>> On Tue, Apr 7, 2015 at 10:37 AM, Fabio Cerullo <fcerullo at owasp.org>
>>>>> wrote:
>>>>>
>>>>>> Johanna,
>>>>>>
>>>>>>  Thanks for asking.
>>>>>>
>>>>>>  I thought about the slot allocation and maybe the criteria is the
>>>>>> ‘maturity’ of the project.
>>>>>>
>>>>>>  https://www.owasp.org/index.php/OWASP_Project_Stages
>>>>>>
>>>>>>  So, based on the project current status: Incubator, Lab, Flagship
>>>>>> it is decided the max amount of slots.
>>>>>>
>>>>>>  Flagship: Max 3 slots
>>>>>> Lab: Max 2 slots
>>>>>> Incubator: Max 1 slot
>>>>>>
>>>>>>  What do you think? I don’t have time to setup the wiki, etc at
>>>>>> present but would welcome your help.
>>>>>>
>>>>>>  Thanks,
>>>>>>
>>>>>>   Fabio Cerullo
>>>>>> Global Board Member
>>>>>> OWASP Foundation
>>>>>> https://www.owasp.org
>>>>>>
>>>>>>    On 7 Apr 2015, at 15:24, johanna curiel curiel <
>>>>>> johanna.curiel at owasp.org> wrote:
>>>>>>
>>>>>>  5) Finally, the org team in conjunction with the project mentors
>>>>>> team then decide how many slots each project will get.
>>>>>>
>>>>>>  I think , in order to avoid any conflict of interest, the org team
>>>>>> members should be an independent member with no ties to any of
>>>>>> the participating projects
>>>>>>
>>>>>>  So I would like to formally request a budget of USD 30K (3K per
>>>>>> slot with a max of 10 slots) to move ahead with this process.
>>>>>>
>>>>>>  A clear criteria should exist before any approvals are exercised.
>>>>>> The board should ask :
>>>>>> *Do we have clear criteria for this program?*
>>>>>> In my opinion, no, just a bunch of emails.
>>>>>>
>>>>>>  *Has it been openly defined for all potential participating members
>>>>>> and project leaders?*
>>>>>> No, it should be published on a Wiki and send through the community
>>>>>> /owasp-leaders list for people to comment and agree. At least a clear
>>>>>> proposal should be setup and published.
>>>>>>
>>>>>>  After this process then I think we could go ahead and approve,
>>>>>> because its clear what are the rules for participation. There are still
>>>>>> some issues that I see as potential conflicts such as *for example*:
>>>>>>
>>>>>>    - How many slots can a project get?
>>>>>>     - Should a project get more slots than others?
>>>>>>    - Based on what *exact*  criteria should we provide slots?
>>>>>>    - Should the org team have tights (such as being an active
>>>>>>    volunteer) to the participating project(this can be conflict of interest)
>>>>>>
>>>>>>
>>>>>>
>>>>>>  regards
>>>>>>
>>>>>>  Johanna
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Tue, Apr 7, 2015 at 9:28 AM, Fabio Cerullo <fcerullo at owasp.org>
>>>>>> wrote:
>>>>>>
>>>>>>>  Tobias,
>>>>>>>
>>>>>>>  Thanks for your comments.
>>>>>>>
>>>>>>>  I think an escalation procedure on step #5 is in order in case
>>>>>>> there is a disagreement between the org team and the project mentors team
>>>>>>> about slots.
>>>>>>>
>>>>>>>  So I would like to formally request a budget of USD 30K (3K per
>>>>>>> slot with a max of 10 slots) to move ahead with this process.
>>>>>>>
>>>>>>>  I will appreciate the support from fellow Board members to make
>>>>>>> this happen.
>>>>>>>
>>>>>>>  Thanks,
>>>>>>>
>>>>>>>  Fabio Cerullo
>>>>>>> Global Board Member
>>>>>>> OWASP Foundation
>>>>>>> https://www.owasp.org
>>>>>>>
>>>>>>>    On 7 Apr 2015, at 13:49, Tobias <tobias.gondrom at owasp.org> wrote:
>>>>>>>
>>>>>>>  Sounds fair to me.
>>>>>>>
>>>>>>> With one suggested addition: if there is disagreement in step #5, I
>>>>>>> like to see this reported to the org team / board / community for
>>>>>>> resolution without conflict of interest.
>>>>>>> If the teams agree with the resolution of step #5, I am happy and
>>>>>>> favour to go ahead. If there is serious disagreement, I like to hear about
>>>>>>> it.
>>>>>>>
>>>>>>> Best, Tobias
>>>>>>>
>>>>>>>
>>>>>>> On 07/04/15 05:33, Fabio Cerullo wrote:
>>>>>>>
>>>>>>> Jim,
>>>>>>>
>>>>>>>  Please allow me to explain a submission process might work for
>>>>>>> everyone:
>>>>>>>
>>>>>>>  1) Student review the ideas suggested by mentors. For example,
>>>>>>> GSOC 2015 Ideas: https://www.owasp.org/index.php/GSoC2015_Ideas
>>>>>>> 2) Based on those ideas, the students submit their own
>>>>>>> ideas/projects. Usually there are dozens of ideas submitted by students,
>>>>>>> some are good, some are poor, and some are completely new. The mentors are
>>>>>>> not involved at this stage other than answering questions to the students.
>>>>>>> There is a deadline for the students submission.
>>>>>>> 3) The 'project leaders/mentors team' are the ones who evaluate and
>>>>>>> pick the best students proposals because they know about their projects. In
>>>>>>> the past, we allowed all mentors to score all proposals and that is what
>>>>>>> caused an issue because some people ‘down voted’ other proposals to let
>>>>>>> their own proposals to score higher.
>>>>>>> 4) The 'org team' makes sure that there is no wrong doing by
>>>>>>> reviewing scores/etc. Last year, the issue above was identified by
>>>>>>> Kostas/staff and it was promptly addressed. An additional control that
>>>>>>> could be implemented, and we were hoping to implement this year at GSOC, is
>>>>>>> that no mentor could vote on other project proposals (e.g. ZAP mentors
>>>>>>> cannot down vote on OWTF proposals and viceversa). So that will bubble up
>>>>>>> naturally all the best proposals for each corresponding project based on
>>>>>>> scores from the project leaders/mentors.
>>>>>>> 5) Finally, the org team in conjunction with the project mentors
>>>>>>> team then decide how many slots each project will get.
>>>>>>>
>>>>>>>  Does it sound fair?
>>>>>>>
>>>>>>>  Fabio Cerullo
>>>>>>> Global Board Member
>>>>>>> OWASP Foundation
>>>>>>> https://www.owasp.org
>>>>>>>
>>>>>>>  On 6 Apr 2015, at 20:07, Jim Manico <jim.manico at owasp.org> wrote:
>>>>>>>
>>>>>>> I suggest the mentors work with students to make great proposals and
>>>>>>> have a •different group vote on who wins•. The whole issue was
>>>>>>> mentors
>>>>>>> voting on projects and we should consider avoiding that if we
>>>>>>> replicate a similar program at OWASP.
>>>>>>>
>>>>>>> --
>>>>>>> Jim Manico
>>>>>>> @Manicode
>>>>>>> (808) 652-3805 <%28808%29%20652-3805>
>>>>>>>
>>>>>>> On Apr 6, 2015, at 10:04 AM, Fabio Cerullo <fcerullo at owasp.org>
>>>>>>> wrote:
>>>>>>>
>>>>>>> The ‘Mentors team’ will review/score the proposals and select the
>>>>>>> best ones with an oversight from the ‘Organisation Team’.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Owasp-board mailing listOwasp-board at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Owasp-board mailing list
>>>>>>> Owasp-board at lists.owasp.org
>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Owasp-board mailing list
>>>> Owasp-board at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>
>>>>
>>>
>>>
>>>  --
>>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>>
>>> _______________________________________________
>>> Owasp-board mailing list
>>> Owasp-board at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>
>>>
>>
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>
>
>
> _______________________________________________
> Owasp-board mailing listOwasp-board at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-board
>
>
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150408/95d393b3/attachment-0001.html>


More information about the Owasp-board mailing list