[Owasp-board] OWASP Summer Code Sprint Proposal

Jim Manico jim.manico at owasp.org
Wed Apr 8 00:09:34 UTC 2015


Abraham,

I hear you. Please note that it's my duty to help protect the fiscal 
health of the foundation. Anytime someone asks for "30,000$ real fast" 
it's my job to be concerned and ask tough questions. I was also involved 
in GsoC as a mentor last year so I had a chance to witness some of the 
issues and concerns expressed.

As long as there are clear checks and balances - and as long as the 
foundation can afford this cost - I am in favor of supporting this program.

And Abraham, I do appreciate your enthusiasm and positive contribution 
to this thread. Believe me, I am not just hearing (or experiencing) the 
complaints I am also listening to the positive experiences shared by 
you, Simon and others.

With respect,
Jim



On 4/7/15 6:14 PM, Abraham Aranguren wrote:
> +1 Let's try to open another thread that focuses on implementing a 
> system that will work.
>
> Ok a few departing notes here from my point of view:
> - *The ONLY slot granting program that makes sense is what Fabio 
> proposed*:
>    + We need a slot granting system that takes project leaders 
> suggestions (and their project-specific, candidate, skill, etc. 
> knowledge) as part of the equation
>    + An unbiased committee is necessary to ensure oversight and 
> fairness among OWASP projects, but this committee CANNOT choose the 
> people or the slots without taking into account how many students each 
> project wants in the first place (i.e. approach last year was "tell me 
> your must haves, nice to haves, do not want and we'll see what we can 
> do"). The project leader preferences MUST be taken into account.
> - Kostas had to take A LOT of decisions (many of them rushed, and most 
> of these not his fault) last year and most of them were imho OK, 
> overall he did a great job and *when somebody puts all that work in 
> without being paid I say: THANK YOU MAN!*
>
> In the spirit of separation of duties I think we are all largely in 
> agreement and we have a lot of experience that can be applied from 
> previous GSoC years.
> So, please let's focus on building a program that WILL work! :)
>
> Thanks all!
>
> Abe
>
> http://owtf.org
>
> P.S. @Jim: We are in a rush because GSoC has started, students are 
> looking for this *in the summer *and we need this thing ready ASAP. We 
> have a lot of smart people in this list, let's make it work! ;)
>
> On Tue, Apr 7, 2015 at 11:03 PM, Jim Manico <jim.manico at owasp.org 
> <mailto:jim.manico at owasp.org>> wrote:
>
>     +1 Thank you Paul.
>
>     - Jim
>
>
>     On 4/7/15 3:52 PM, Paul Ritchie wrote:
>>     Team:
>>
>>     This thread is now over 70 comments long and its moved from
>>     strong passion to get a project up & running......to strong
>>     passion about each other's opinions on how to implement. Strong
>>     opinions are a good thing when focused on the issue, rather than
>>     the person....especially in a volunteer community.
>>
>>     And now....I'd like to see a new thread started with the project
>>     criteria based on everyone's input, some schedule milestones &
>>     key tasks, with a BLANK under the name for 'responsible party'.  
>>     Once "the plan" looks good, we can add people's names to handle
>>     each area....with the goal of technical competency balanced with
>>     transparency and fairness.  I think that is a 'winning' project
>>     plan that will get approved for the funding request.
>>
>>     I am happy to commit some of our staff resource to the project
>>     since it directly aligns with OWASP 2015 Strategic Goals in areas
>>     of Training and Developer engagement.
>>
>>     Add my name to the list of people on the 'planning team' or task
>>     force to help define & finalize the project criteria.
>>     Project Coordinator resumes are being evaluated now by a small
>>     team from the community and we hope to have someone hired by end
>>     of month.
>>
>>     I trust that this will help us move forward.
>>     Cheers Paul
>>
>>     Best Regards, Paul Ritchie
>>     OWASP Interim Executive Director
>>     paul.ritchie at owasp.org <mailto:paul.ritchie at owasp.org>
>>
>>
>>     On Tue, Apr 7, 2015 at 1:11 PM, Konstantinos Papapanagiotou
>>     <Konstantinos at owasp.org <mailto:Konstantinos at owasp.org>> wrote:
>>
>>         All,
>>
>>         I'd like to help but before that I'd like to be 100% certain
>>         that there is no CoI if hackademic participates in the same
>>         sense it participated in last year's GSOC.
>>
>>         Kostas
>>
>>         On Tue, Apr 7, 2015 at 7:31 PM, psiinon <psiinon at gmail.com
>>         <mailto:psiinon at gmail.com>> wrote:
>>
>>             If it come to a vote then I'd be very happy to back Kostas.
>>             I think he did an excellent job with GSoC.
>>
>>             Simon
>>
>>             On Tue, Apr 7, 2015 at 5:26 PM, Fabio Cerullo
>>             <fcerullo at owasp.org <mailto:fcerullo at owasp.org>> wrote:
>>
>>                 Johanna
>>
>>                 Anybody is welcome to participate and don’t like to
>>                 establish rules about ‘who’ should be participating
>>                 as the ones you are suggesting.
>>
>>                 As mentioned earlier, I trust Kostas to do a great
>>                 job and you are also welcome to participate in the
>>                 org team / project mentor teams.
>>
>>                 Having said that, I will progress with the project
>>                 proposal working with him which to my view is
>>                 transparent and open to everyone.
>>
>>                 If someone from the Global Board disagrees, please
>>                 let me know. Otherwise I will seek budget approval
>>                 for this to move ahead.
>>
>>                 Thanks,
>>
>>                 Fabio Cerullo
>>                 Global Board Member
>>                 OWASP Foundation
>>                 https://www.owasp.org
>>
>>>                 On 7 Apr 2015, at 16:01, johanna curiel curiel
>>>                 <johanna.curiel at owasp.org
>>>                 <mailto:johanna.curiel at owasp.org>> wrote:
>>>
>>>                 I would definitely support Kostas as overall program
>>>                 admin in case he is interested. Do you agree?
>>>
>>>                 I think this should be submitted to a
>>>                 vote, especially depending if Kostas wants to mentor
>>>                 a project or if hackademics is also participating
>>>
>>>                 On Tue, Apr 7, 2015 at 10:56 AM, Fabio Cerullo
>>>                 <fcerullo at owasp.org <mailto:fcerullo at owasp.org>> wrote:
>>>
>>>                     I think the 2 mentors per student slot makes
>>>                     sense. In case one of the mentors get sick, etc.
>>>
>>>                     Based on the feedback received and the
>>>                     iterations so far, it seems we have a strong
>>>                     proposal to put up for voting.
>>>
>>>                     I would definitely support Kostas as overall
>>>                     program admin in case he is interested. Do you
>>>                     agree?
>>>
>>>                     Thanks,
>>>
>>>                     Fabio Cerullo
>>>                     Global Board Member
>>>                     OWASP Foundation
>>>                     https://www.owasp.org <https://www.owasp.org/>
>>>
>>>>                     On 7 Apr 2015, at 15:46, johanna curiel curiel
>>>>                     <johanna.curiel at owasp.org
>>>>                     <mailto:johanna.curiel at owasp.org>> wrote:
>>>>
>>>>                     What do you think? I don’t have time to setup
>>>>                     the wiki, etc at present but would welcome your
>>>>                     help.
>>>>
>>>>                     I think the rules based on stages seems quite
>>>>                     fair to me, however, that is my opinion ;-),
>>>>                     another important criteria should be how many
>>>>                     mentors are available per project to provide
>>>>                     guidance. I think 1 project leader per student
>>>>                     should be the minimum (Google uses 2 mentors
>>>>                     per project/proposal)
>>>>
>>>>                     Also it should be clear , in case a mentor is
>>>>                     not able to followup or continue with mentoring
>>>>                     what should be done and who should follow up
>>>>                     this (the org team), therefore ,
>>>>                     when volunteers want to be part of the
>>>>                     program(whether org team/mentor) they must know
>>>>                     their responsibilities, after all ,
>>>>                     we don't want to waste money well intended.
>>>>
>>>>                     Fabio, if you have no time to set the wiki,
>>>>                     someone must take the lead to do this, based on
>>>>                     what you have proposed, it seems to me that the
>>>>                     person responsible or in-charge of the program
>>>>                     should do this. Is it clear who is this person?
>>>>                     (will it be Kostas? other ones?)
>>>>
>>>>                     When i take an initiative, I have always
>>>>                     followed these steps (wiki-proposal, publish
>>>>                     info, get reactions/adapt) so it is as much
>>>>                     transparent as I can do. It is a lot of
>>>>                     work but this is part of
>>>>                     our responsibilities when managing these kind
>>>>                     of initiatives.
>>>>
>>>>                     regards
>>>>
>>>>                     Johanna
>>>>
>>>>                     On Tue, Apr 7, 2015 at 10:37 AM, Fabio Cerullo
>>>>                     <fcerullo at owasp.org
>>>>                     <mailto:fcerullo at owasp.org>> wrote:
>>>>
>>>>                         Johanna,
>>>>
>>>>                         Thanks for asking.
>>>>
>>>>                         I thought about the slot allocation and
>>>>                         maybe the criteria is the ‘maturity’ of the
>>>>                         project.
>>>>
>>>>                         https://www.owasp.org/index.php/OWASP_Project_Stages
>>>>
>>>>                         So, based on the project current status:
>>>>                         Incubator, Lab, Flagship it is decided the
>>>>                         max amount of slots.
>>>>
>>>>                         Flagship: Max 3 slots
>>>>                         Lab: Max 2 slots
>>>>                         Incubator: Max 1 slot
>>>>
>>>>                         What do you think? I don’t have time to
>>>>                         setup the wiki, etc at present but would
>>>>                         welcome your help.
>>>>
>>>>                         Thanks,
>>>>
>>>>                         Fabio Cerullo
>>>>                         Global Board Member
>>>>                         OWASP Foundation
>>>>                         https://www.owasp.org <https://www.owasp.org/>
>>>>
>>>>>                         On 7 Apr 2015, at 15:24, johanna curiel
>>>>>                         curiel <johanna.curiel at owasp.org
>>>>>                         <mailto:johanna.curiel at owasp.org>> wrote:
>>>>>
>>>>>                         5) Finally, the org team in conjunction
>>>>>                         with the project mentors team then decide
>>>>>                         how many slots each project will get.
>>>>>
>>>>>                         I think , in order to avoid any conflict
>>>>>                         of interest, the org team members should
>>>>>                         be an independent member with no ties to
>>>>>                         any of the participating projects
>>>>>
>>>>>                         So I would like to formally request a
>>>>>                         budget of USD 30K (3K per slot with a max
>>>>>                         of 10 slots) to move ahead with this process.
>>>>>
>>>>>                         A clear criteria should exist before any
>>>>>                         approvals are exercised.
>>>>>                         The board should ask :
>>>>>                         /Do we have clear criteria for this program?/
>>>>>                         In my opinion, no, just a bunch of emails.
>>>>>
>>>>>                         /Has it been openly defined for all
>>>>>                         potential participating members and
>>>>>                         project leaders?/
>>>>>                         No, it should be published on a Wiki and
>>>>>                         send through the community /owasp-leaders
>>>>>                         list for people to comment and agree. At
>>>>>                         least a clear proposal should be setup and
>>>>>                         published.
>>>>>
>>>>>                         After this process then I think we could
>>>>>                         go ahead and approve, because its clear
>>>>>                         what are the rules for participation.
>>>>>                         There are still some issues that I see as
>>>>>                         potential conflicts such as /for example/:
>>>>>
>>>>>                           * How many slots can a project get?
>>>>>                           * Should a project get more slots than
>>>>>                             others?
>>>>>                           * Based on what /exact/  criteria should
>>>>>                             we provide slots?
>>>>>                           * Should the org team have tights (such
>>>>>                             as being an active volunteer) to the
>>>>>                             participating project(this can be
>>>>>                             conflict of interest)
>>>>>
>>>>>
>>>>>
>>>>>                         regards
>>>>>
>>>>>                         Johanna
>>>>>
>>>>>
>>>>>
>>>>>                         On Tue, Apr 7, 2015 at 9:28 AM, Fabio
>>>>>                         Cerullo <fcerullo at owasp.org
>>>>>                         <mailto:fcerullo at owasp.org>> wrote:
>>>>>
>>>>>                             Tobias,
>>>>>
>>>>>                             Thanks for your comments.
>>>>>
>>>>>                             I think an escalation procedure on
>>>>>                             step #5 is in order in case there is a
>>>>>                             disagreement between the org team and
>>>>>                             the project mentors team about slots.
>>>>>
>>>>>                             So I would like to formally request a
>>>>>                             budget of USD 30K (3K per slot with a
>>>>>                             max of 10 slots) to move ahead with
>>>>>                             this process.
>>>>>
>>>>>                             I will appreciate the support from
>>>>>                             fellow Board members to make this happen.
>>>>>
>>>>>                             Thanks,
>>>>>
>>>>>                             Fabio Cerullo
>>>>>                             Global Board Member
>>>>>                             OWASP Foundation
>>>>>                             https://www.owasp.org
>>>>>                             <https://www.owasp.org/>
>>>>>
>>>>>>                             On 7 Apr 2015, at 13:49, Tobias
>>>>>>                             <tobias.gondrom at owasp.org
>>>>>>                             <mailto:tobias.gondrom at owasp.org>> wrote:
>>>>>>
>>>>>>                             Sounds fair to me.
>>>>>>
>>>>>>                             With one suggested addition: if there
>>>>>>                             is disagreement in step #5, I like to
>>>>>>                             see this reported to the org team /
>>>>>>                             board / community for resolution
>>>>>>                             without conflict of interest.
>>>>>>                             If the teams agree with the
>>>>>>                             resolution of step #5, I am happy and
>>>>>>                             favour to go ahead. If there is
>>>>>>                             serious disagreement, I like to hear
>>>>>>                             about it.
>>>>>>
>>>>>>                             Best, Tobias
>>>>>>
>>>>>>
>>>>>>                             On 07/04/15 05:33, Fabio Cerullo wrote:
>>>>>>>                             Jim,
>>>>>>>
>>>>>>>                             Please allow me to explain a
>>>>>>>                             submission process might work for
>>>>>>>                             everyone:
>>>>>>>
>>>>>>>                             1) Student review the ideas
>>>>>>>                             suggested by mentors. For example,
>>>>>>>                             GSOC 2015 Ideas:
>>>>>>>                             https://www.owasp.org/index.php/GSoC2015_Ideas
>>>>>>>                             2) Based on those ideas, the
>>>>>>>                             students submit their own
>>>>>>>                             ideas/projects. Usually there are
>>>>>>>                             dozens of ideas submitted by
>>>>>>>                             students, some are good, some are
>>>>>>>                             poor, and some are completely new.
>>>>>>>                             The mentors are not involved at this
>>>>>>>                             stage other than answering questions
>>>>>>>                             to the students. There is a deadline
>>>>>>>                             for the students submission.
>>>>>>>                             3) The 'project leaders/mentors
>>>>>>>                             team' are the ones who evaluate and
>>>>>>>                             pick the best students proposals
>>>>>>>                             because they know about their
>>>>>>>                             projects. In the past, we allowed
>>>>>>>                             all mentors to score all proposals
>>>>>>>                             and that is what caused an issue
>>>>>>>                             because some people ‘down voted’
>>>>>>>                             other proposals to let their own
>>>>>>>                             proposals to score higher.
>>>>>>>                             4) The 'org team' makes sure that
>>>>>>>                             there is no wrong doing by reviewing
>>>>>>>                             scores/etc. Last year, the issue
>>>>>>>                             above was identified by Kostas/staff
>>>>>>>                             and it was promptly addressed. An
>>>>>>>                             additional control that could be
>>>>>>>                             implemented, and we were hoping to
>>>>>>>                             implement this year at GSOC, is that
>>>>>>>                             no mentor could vote on other
>>>>>>>                             project proposals (e.g. ZAP mentors
>>>>>>>                             cannot down vote on OWTF proposals
>>>>>>>                             and viceversa). So that will bubble
>>>>>>>                             up naturally all the best proposals
>>>>>>>                             for each corresponding project based
>>>>>>>                             on scores from the project
>>>>>>>                             leaders/mentors.
>>>>>>>                             5) Finally, the org team in
>>>>>>>                             conjunction with the project mentors
>>>>>>>                             team then decide how many slots each
>>>>>>>                             project will get.
>>>>>>>
>>>>>>>                             Does it sound fair?
>>>>>>>
>>>>>>>                             Fabio Cerullo
>>>>>>>                             Global Board Member
>>>>>>>                             OWASP Foundation
>>>>>>>                             https://www.owasp.org
>>>>>>>                             <https://www.owasp.org/>
>>>>>>>
>>>>>>>>                             On 6 Apr 2015, at 20:07, Jim Manico
>>>>>>>>                             <jim.manico at owasp.org
>>>>>>>>                             <mailto:jim.manico at owasp.org>> wrote:
>>>>>>>>
>>>>>>>>                             I suggest the mentors work with
>>>>>>>>                             students to make great proposals and
>>>>>>>>                             have a •different group vote on who
>>>>>>>>                             wins•. The whole issue was mentors
>>>>>>>>                             voting on projects and we should
>>>>>>>>                             consider avoiding that if we
>>>>>>>>                             replicate a similar program at OWASP.
>>>>>>>>
>>>>>>>>                             --
>>>>>>>>                             Jim Manico
>>>>>>>>                             @Manicode
>>>>>>>>                             (808) 652-3805
>>>>>>>>                             <tel:%28808%29%20652-3805>
>>>>>>>>
>>>>>>>>>                             On Apr 6, 2015, at 10:04 AM, Fabio
>>>>>>>>>                             Cerullo <fcerullo at owasp.org
>>>>>>>>>                             <mailto:fcerullo at owasp.org>> wrote:
>>>>>>>>>
>>>>>>>>>                             The ‘Mentors team’ will
>>>>>>>>>                             review/score the proposals and
>>>>>>>>>                             select the best ones with an
>>>>>>>>>                             oversight from the ‘Organisation
>>>>>>>>>                             Team’.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>                             _______________________________________________
>>>>>>>                             Owasp-board mailing list
>>>>>>>                             Owasp-board at lists.owasp.org  <mailto:Owasp-board at lists.owasp.org>
>>>>>>>                             https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>>
>>>>>
>>>>>
>>>>>                             _______________________________________________
>>>>>                             Owasp-board mailing list
>>>>>                             Owasp-board at lists.owasp.org
>>>>>                             <mailto:Owasp-board at lists.owasp.org>
>>>>>                             https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>>                 _______________________________________________
>>                 Owasp-board mailing list
>>                 Owasp-board at lists.owasp.org
>>                 <mailto:Owasp-board at lists.owasp.org>
>>                 https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>
>>
>>
>>             -- 
>>             OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project
>>             leader
>>
>>             _______________________________________________
>>             Owasp-board mailing list
>>             Owasp-board at lists.owasp.org
>>             <mailto:Owasp-board at lists.owasp.org>
>>             https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>
>>
>>         _______________________________________________
>>         Owasp-board mailing list
>>         Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
>>         https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>
>>
>>
>>     _______________________________________________
>>     Owasp-board mailing list
>>     Owasp-board at lists.owasp.org  <mailto:Owasp-board at lists.owasp.org>
>>     https://lists.owasp.org/mailman/listinfo/owasp-board
>
>
>     _______________________________________________
>     Owasp-board mailing list
>     Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-board
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150407/2d5d6641/attachment-0001.html>


More information about the Owasp-board mailing list