[Owasp-board] Higher Criteria on Starting projects
matt.konda at owasp.org
Sun Jun 21 20:01:27 UTC 2015
I agree that there are issues with projects that get started and
abandoned. Eg. Orizon.
I support actively indicating maturity of projects so that people don't
come, download that and think that OWASP is old and outdated by that one
input. I think we could pretty easily leverage some of github's existing
project metrics to make it clear whether a given thing is actively
maintained. I don't know if we need new criteria and I really don't know
if the biggest problems are new fledgling projects or older neglected
ones. Personally, I think "lab" projects convey what is needed for
"candidate" and we may be overly specific separating the two.
Given the recent news that sourceforge is embedding adware in binaries it
serves, I think OWASP should move to get all projects off of it. Eg:
Overall, I think that we have an opportunity to continue to improve the
OWASP Project "Platform" to encourage the fledglings to mature faster.
That's what I would like to brainstorm about. I wonder if we could find a
way to consider # contributors, using github, using issues, allowing pull
requests, seeing bugs fixed, seeing a roadmap and encourage projects to do
that and then help promote them when they do...
On Sun, Jun 21, 2015 at 3:38 PM, Jim Manico <jim.manico at owasp.org> wrote:
> I like this general strategy. I really think this is a "labeling" issue vs
> needing better criteria for entry.
> Jim Manico
> Global Board Member
> OWASP Foundation
> Join me at AppSecUSA <http://appsecusa.org/> 2015 in San Francisco!
> On Jun 21, 2015, at 9:14 AM, psiinon <psiinon at gmail.com> wrote:
> I like the fact that we have a low bar of entry, but definitely agree that
> we need to do a better job of making the useful/mature projects more
> Perhaps we could have a new 'Candidate' or 'Prospective' category, which
> has the existing low bar of entry, but doenst confer full 'OWASP Project'
> These could then be listed on a separate page to the 'full' projects.
> Such projects would need to show a useful and significant deliverable to
> be even considered for promotion to labs.
> On Sun, Jun 21, 2015 at 6:49 PM, johanna curiel curiel <
> johanna.curiel at owasp.org> wrote:
>> >Perhaps we could relabel incubator projects to not even be a project
>> until they hit lab level maturity?
>> Yes, maybe only when they reach the LAB status, we can call them OWASP
>> projects , including all the benefits that comes along with being an OWASP
>> Our concern is that :
>> - Incubators are right now a huge part of the inventory and take time
>> to evaluate
>> - We want to graduate faster from Incubator to LAB a project that has
>> produce a susbtantial deliverable such as a finalised document or a
>> tool/code that works as a Beta version.(Example: OWASP top ten privacy
>> risk, OWASP IoT, Proactive controls, Python Security project) .
>> - These projects deserve more exposure and attention and is not fair
>> get lost among others that have not even produce anything
>> We have some very good Incubators but they get 'lost' in this large list
>> of projects among other that have no value at all and where started once
>> but actually do not work or have incomplete work.
>> On Sun, Jun 21, 2015 at 12:49 PM, Jim Manico <jim.manico at owasp.org>
>>> This is tricky since it's important to encourage experimentation.
>>> Perhaps we could relabel incubator projects to not even be a project
>>> until they hit lab level maturity?
>>> I'll put some more brain matter into this and get back to you. Thank you
>>> Jim Manico
>>> Global Board Member
>>> OWASP Foundation
>>> Join me at AppSecUSA <http://appsecusa.org/> 2015 in San Francisco!
>>> On Jun 21, 2015, at 5:25 AM, johanna curiel curiel <
>>> johanna.curiel at owasp.org> wrote:
>>> Dear Board and members of the Project Task Force
>>> A while ago, Timo Goosen and some owasp members have expressed their
>>> concern regarding of Projects (Incubators) and their low level of quality.
>>> It has come to our attention that there are projects started and in the
>>> opinion of some community members have very little added value top the
>>> OWASP project inventory. Therefore we want to revise the actual criteria
>>> but also we want to be as fair as we can providing opportunity to anyone to
>>> start a project, however we want value and projects that have a certain
>>> level of quality.
>>> I think we need to revise this criteria and create incentives for
>>> researchers interested to join OWASP with their projects.
>>> Right now we are giving a free pass to anyone, but we have seen way too
>>> many low quality projects that add no new value at all, in our opinion.
>>> Tools that sometimes do absolutely nothing to improve security or even
>>> reach a level of at least being properly installed or used.
>>> We would like to get some feedback on this, because we are really
>>> concern that sometimes people use OWASP to start a project without
>>> substance or any added value.
>>> @Timo, feel free to comment on your concerns
>>> You received this message because you are subscribed to the Google
>>> Groups "OWASP Projects Task Force" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to projects-task-force+unsubscribe at owasp.org.
>>> To post to this group, send email to projects-task-force at owasp.org.
>>> To view this discussion on the web visit
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-board