[Owasp-board] OWASP Summer of Code Sprint Proposal

Tobias tobias.gondrom at owasp.org
Wed Apr 22 17:22:16 UTC 2015


I tend to agree with Josh and Jim's suggestion on scope and funding. 
Incl. that projects could use some of their funding if available.

(maybe as a small thought for a compromise on Josh's point: if a project 
has less than USD1000 in the budget, and that money is already 
planned/committed for another activity, we could exempt that amount.)

What do others think?

Best, Tobias


On 22/04/15 17:39, Jim Manico wrote:
> Very reasonable. +1 Josh.
>
> --
> Jim Manico
> @Manicode
> (808) 652-3805
>
> On Apr 22, 2015, at 6:33 AM, Josh Sokol <josh.sokol at owasp.org 
> <mailto:josh.sokol at owasp.org>> wrote:
>
>> Kostas,
>>
>> I don't disagree that this is important for the Foundation's mission, 
>> but the devil is in the details.  This whole plan is a reaction to us 
>> not being accepted to the Google Summer of Code project.  It was not 
>> budgeted for 2015 and that means that we are taking money away from 
>> another budget in order to fund this.  In addition, this is not a 
>> project that OWASP has ever run itself in the past.  Because of this, 
>> I think we need to proceed, but proceed with caution and limit our 
>> liabilities. So, I'm not really sure whose proposal is for what at 
>> this point, but my stipulations remain for support of any plan:
>>
>> 1) Limit funds to a reasonable amount of money.  I suggested $12k 
>> since that seems reasonable to me and just eats up one quarter of the 
>> funding we are taking from to make this work, leaving funds available 
>> for other project-related activities.
>>
>> 2) Projects must spend their account funds first before being able to 
>> use these funds.  I won't waiver on this. AppSensor has $4069.73, 
>> ESAPI $2836.58, OpenSAMM $7323.40, and ZAP $9675.48 
>> (https://docs.google.com/spreadsheet/pub?hl=en_US&key=0Atu4kyR3ljftdEdQWTczbUxoMUFnWmlTODZ2ZFZvaXc&hl=en_US&gid=3). 
>> All of these would easily have the ability to fund work if it were a 
>> priority and have elected not to do so. Other projects have 
>> significant funds as well totaling over $39,544 currently 
>> "ring-fenced" for the projects.
>>
>> So, I support the initiative, but for me to vote in favor of it I 
>> need for those two things to be incorporated into the plan.  I'm just 
>> one person though so maybe you'll have the support you need without 
>> me if you decide to proceed with the current proposal as written.
>>
>> ~josh
>>
>> On Wed, Apr 22, 2015 at 11:01 AM, Konstantinos Papapanagiotou 
>> <Konstantinos at owasp.org <mailto:Konstantinos at owasp.org>> wrote:
>>
>>     Josh,
>>
>>     When putting together this proposal, I tried to make it a win
>>     case for all parties. This is why I believe it's very important
>>     for the foundation's mission: we reach out to students and
>>     universities, get work done on our projects and "recruit"
>>     enthusiastic contributors that will most likely keep volunteering
>>     in the future.
>>     Being a project leader myself, I think the initial proposal will
>>     get more support from the project leaders. At the same time
>>     Fabio's approach is equally or even more appealing and better
>>     balanced. I would like to have support from a vast majority of
>>     the board if possible, so if you feel more comfortable with
>>     Fabio's approach, we can adopt it.
>>
>>     Kostas
>>
>>
>>     On Wednesday, April 22, 2015, Josh Sokol <josh.sokol at owasp.org
>>     <mailto:josh.sokol at owasp.org>> wrote:
>>
>>         So, if projects can already spend their money any way they
>>         want (obviously with some caveats), and they haven't
>>         prioritized paying others to help with the code (whether they
>>         are students or professionals), then why should the
>>         Foundation care to spend it's money on something that the
>>         projects don't value enough to spend their money on?  I draw
>>         a lot of parallels here between projects and chapters because
>>         the conversation around money ultimately comes down to a
>>         discussion about the "ring-fenced funds" in our accounts. 
>>         Basically, funds that are currently allocated to a chapter or
>>         project, but aren't in active use, and can't be used for
>>         something else.  And with rules in place (and others being
>>         added) designed to make the chapters spend their money to
>>         avoid this situation, I see no reason why we should treat the
>>         projects any differently. If a project has money, they need
>>         to spend it.  In addition, if it we made the assumption that
>>         it was important to invest money in our projects for such an
>>         initiative, and some projects already have this money and
>>         aren't spending it in this way, then I would choose to
>>         instead fund the projects who do not have the money to even
>>         make this choice.  In other words, we should be allocating
>>         this money to the projects who don't have money, not the ones
>>         that do.  If we cannot agree that the projects need to spend
>>         their account funds first, then we cannot agree that this
>>         money should be allocated at all.  Based on this, my vote
>>         will be "no" if a vote is requested.
>>
>>         ~josh
>>
>>         On Wed, Apr 22, 2015 at 7:42 AM, Konstantinos Papapanagiotou
>>         <Konstantinos at owasp.org> wrote:
>>
>>             Projects can already spend their money any way they want.
>>             As a project leader, why should I give my budget to this
>>             initiative, go through all this process and not hire
>>             instead a professional developer?
>>             I believethat this should be an organization-level
>>             initiative that can include projects with no budget;
>>             driven as an OWASP initiative not a (for example)
>>             ZAP-OWTF-Hackademic side-project. Projects that have
>>             budget can go out on their own and look for students or
>>             developers in a probably more effective way.
>>
>>             Kostas
>>
>>
>>             On Wednesday, April 22, 2015, Josh Sokol
>>             <josh.sokol at owasp.org> wrote:
>>
>>                  I would like to see a couple of changes:
>>
>>                 1) I'm not sure it makes sense to use $30k of the
>>                 project funding for this one initiative.  It consumes
>>                 60% of the funding for a far smaller percentage of
>>                 our active projects.  OWASP also has no history with
>>                 running this initiative ourselves so I would prefer
>>                 to limit our exposure here the first time around.  I
>>                 would rather see us allocate $12,000, roughly 25% of
>>                 the overall budget allocated to projects.  This burns
>>                 our budget for one quarter, but leaves sufficient
>>                 budget for the rest of the year.  It is enough to
>>                 fully fund 8 students at the $1500/student price tag
>>                 which seems like a reasonable place for us to start
>>                 this initiative.  If the initiative is successful,
>>                 then I would consider increasing the funding when
>>                 budgeting for next year.
>>
>>                 2) I have not seen any stipulation here stating that
>>                 projects must use their project funds before being
>>                 able to use Foundation funds. This is a requirement
>>                 for all chapters using community engagement funding
>>                 and should apply equally to the projects.  Saying
>>                 that project a with money can buy additional slots is
>>                 not the same thing as saying that they need to use
>>                 their funds first.  If we all agree that funds are
>>                 allocated to be spent, not saved, then I see no
>>                 reason why projects with funds should not be
>>                 encouraged to spend funds in their account first and
>>                 foremost.
>>
>>                 I fully support the initiative, but would like to see
>>                 these limitations placed on it before voting yes on it.
>>
>>                 ~josh
>>
>>                 On Mon, Apr 20, 2015 at 6:00 PM, Fabio Cerullo
>>                 <fcerullo at owasp.org> wrote:
>>
>>                     Hi
>>
>>                     I fully endorse this initiative and think is
>>                     aligned with our mission and strategic goals.
>>
>>                     I appreciate the comments regarding the budgeting
>>                     and we could lower them to a level which everyone
>>                     feels comfortable with.. What about 10 slots at
>>                     USD 1500 each.. Total budget USD 15000
>>
>>                     Paul, I think the proposal by Kostas supports
>>                     that approach. Any project leader could decide to
>>                     get an additional slot/s by using their project
>>                     funds. The only clarification is that Summer of
>>                     Code is about 'code' so the documentation
>>                     projects are out of scope.
>>
>>                     Is everyone satisfied with the overall contents
>>                     of the proposal? Can we bring this to a vote by
>>                     the Board and move forward?
>>
>>                     Thanks Kostas for putting this together.
>>
>>                     Regards,
>>
>>                     Fabio
>>
>>                     Sent from my iPhone
>>
>>                     On 20 Apr 2015, at 14:39, Paul Ritchie
>>                     <paul.ritchie at owasp.org> wrote:
>>
>>>                     Hi Josh, all:
>>>
>>>                     So you are suggesting that a couple of the well
>>>                     funded Projects like AppSensor, OpenSAMM, ZAP,
>>>                     etc., could make a decision to 'sponsor' a
>>>                     student under the Summer of Code program to the
>>>                     tune or $1500 or $3000 or whatever they wanted
>>>                     to contribute. And, they could ensure that those
>>>                     funds were used on student work benefiting their
>>>                     project.
>>>
>>>                     I like that approach. Funded projects support
>>>                     their own work effort, and then the Foundation
>>>                     could support other high-value student proposals
>>>                     that focus on new projects or under-funded projects.
>>>                     Paul
>>>
>>>                     Best Regards, Paul Ritchie
>>>                     OWASP Interim Executive Director
>>>                     paul.ritchie at owasp.org
>>>
>>>
>>>                     On Mon, Apr 20, 2015 at 1:21 PM, Josh Sokol
>>>                     <josh.sokol at owasp.org> wrote:
>>>
>>>                         I think we should treat it like we do the
>>>                         chapters.  If a project has money in their
>>>                         account, then they are not eligible for
>>>                         Foundation funds until that money has been
>>>                         allocated. I'd also agree that $30k of
>>>                         unbudgeted funds is a lot to spend like this
>>>                         considering I don't see any reason to hurry
>>>                         here. It literally means robbing another
>>>                         budgeted project in order to account for
>>>                         this.  That said, I support the idea, in
>>>                         concept. Maybe the projects with some money
>>>                         can front it for their slots, the Foundation
>>>                         can use this as an experiment for our own
>>>                         program, and we can see how it goes. Minimal
>>>                         risk with a high reward and we can budget
>>>                         for more next year?
>>>
>>>                         ~josh
>>>
>>>                         On Mon, Apr 20, 2015 at 2:59 PM, Tobias
>>>                         <tobias.gondrom at owasp.org> wrote:
>>>
>>>                             Well, I don't know.
>>>
>>>                             IMHO the criteria should be based on
>>>                             quality of proposal and bang for the
>>>                             buck for OWASP.
>>>
>>>                             incubator/lab/flagship seems not so
>>>                             useful. E.g. if we get three good in one
>>>                             category, I would not see a point
>>>                             selecting one from another one just to
>>>                             serve all categories.
>>>
>>>                             Cheers, Tobias
>>>
>>>
>>>
>>>                             On 20/04/15 19:49, johanna curiel curiel
>>>                             wrote:
>>>>                             >Not sure we need to split this in incubator/lab/flagship categories.
>>>>
>>>>                             Tobias, this could be a option If we
>>>>                             would like to provide a fair chance to
>>>>                             all project categories. Woudl you
>>>>                             suggest other criteria for selection?
>>>>
>>>>                             cheers
>>>>
>>>>                             Johanna
>>>>
>>>>                             On Mon, Apr 20, 2015 at 2:44 PM, Tobias
>>>>                             <tobias.gondrom at owasp.org> wrote:
>>>>
>>>>                                 3 x 2500USD sounds reasonable.
>>>>
>>>>                                 Not sure we need to split this in
>>>>                                 incubator/lab/flagship categories.
>>>>
>>>>                                 Best, Tobias
>>>>
>>>>
>>>>
>>>>                                 On 20/04/15 19:39, johanna curiel
>>>>                                 curiel wrote:
>>>>>                                 Consider maybe a small pilot with
>>>>>                                 3 types of projects:
>>>>>                                 1 Incubator, 1 LAB, 1 Flagship
>>>>>
>>>>>                                 Do a pre selection of the most
>>>>>                                 active on each category  and then
>>>>>                                 select at random the participating
>>>>>                                 one.
>>>>>
>>>>>                                 just an idea
>>>>>
>>>>>                                 Total for the pilot 9,000USD (3 x
>>>>>                                 3000USD) or
>>>>>                                 USD2500x 3 = 7500USD
>>>>>
>>>>>                                 regards
>>>>>
>>>>>                                 Johanna
>>>>>
>>>>>                                 On Mon, Apr 20, 2015 at 2:21 PM,
>>>>>                                 Jim Manico <jim.manico at owasp.org>
>>>>>                                 wrote:
>>>>>
>>>>>                                     A suggestion. Because this is
>>>>>                                     the first time OWASP is
>>>>>                                     directly funding this
>>>>>                                     initiative, can we start with
>>>>>                                     a smaller financial amount,
>>>>>                                     measure success, and then
>>>>>                                     consider larger funding next
>>>>>                                     year? I want to see how we do
>>>>>                                     first and would feel more
>>>>>                                     comfortable with a smaller
>>>>>                                     experiment.
>>>>>
>>>>>                                     - Jim
>>>>>
>>>>>
>>>>>
>>>>>                                     On 4/19/15 8:27 AM,
>>>>>                                     Konstantinos Papapanagiotou wrote:
>>>>>>                                     Dear board,
>>>>>>
>>>>>>                                     Following recent
>>>>>>                                     conversations I would like to
>>>>>>                                     formally submit a proposal
>>>>>>                                     for the OWASP Summer of Code
>>>>>>                                     Sprint, requesting a budget
>>>>>>                                     of $30,000.
>>>>>>
>>>>>>                                     The details of the proposal
>>>>>>                                     can be found here:
>>>>>>                                     https://docs.google.com/document/d/1FTC-zh__i6ft6uyZRw4rZHxOA44U6T7i33r8RkN0AXk/edit?usp=sharing
>>>>>>
>>>>>>                                     I believe that such
>>>>>>                                     initiatives are important for
>>>>>>                                     our mission as they combine
>>>>>>                                     project contributions and
>>>>>>                                     reaching out to students who
>>>>>>                                     are future developers.
>>>>>>
>>>>>>                                     Looking forward to your comments,
>>>>>>
>>>>>>                                     Kostas
>>>>>>
>>>>>>
>>>>>>                                     _______________________________________________
>>>>>>                                     Owasp-board mailing list
>>>>>>                                     Owasp-board at lists.owasp.org
>>>>>>                                     https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>
>>>>>
>>>>>                                     _______________________________________________
>>>>>                                     Owasp-board mailing list
>>>>>                                     Owasp-board at lists.owasp.org
>>>>>                                     https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>                                 _______________________________________________
>>>>>                                 Owasp-board mailing list
>>>>>                                 Owasp-board at lists.owasp.org
>>>>>                                 https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>
>>>>
>>>
>>>
>>>                             _______________________________________________
>>>                             Owasp-board mailing list
>>>                             Owasp-board at lists.owasp.org
>>>                             https://lists.owasp.org/mailman/listinfo/owasp-board
>>>
>>>
>>>
>>>                         _______________________________________________
>>>                         Owasp-board mailing list
>>>                         Owasp-board at lists.owasp.org
>>>                         https://lists.owasp.org/mailman/listinfo/owasp-board
>>>
>>>
>>>                     _______________________________________________
>>>                     Owasp-board mailing list
>>>                     Owasp-board at lists.owasp.org
>>>                     https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>
>>
>>
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
>> https://lists.owasp.org/mailman/listinfo/owasp-board
>
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150422/778ac6be/attachment-0001.html>


More information about the Owasp-board mailing list