[Owasp-board] Higher standards for accepting OWASP projects especially defender library projects

Jim Manico jim.manico at owasp.org
Fri Nov 20 18:23:22 UTC 2015


I think it's important we let folks know its out of date or is no longer 
maintained. I think it's fair to "demote" this project.

Rather than remove it from GitHub, I suggest just put a warning on the 
GitHub page that it's no longer being maintained and has security 
issues. Someday, someone may want to fork or update this.

Aloha,
Jim


On 11/20/15 12:09 PM, johanna curiel curiel wrote:
> Hi Leaders,
>
> There was a very interesting discussion regarding the OWASP PHPSEC 
> library.
>
> The issues brought by some users of the library (Andrew Carter, James 
> Titcumb, Katy Ereira and Sven Rautenberg (a former contributor)on the 
> github repository mailing list is that the library contains many 
> security issues ,
> It has not being maintained for more than a year and it should be 
> taken down from OWASP Github repository.
>
> https://github.com/OWASP/phpsec/issues/108#issuecomment-158447768
> https://github.com/OWASP/phpsec/issues/108#issuecomment-158436572
> https://github.com/OWASP/phpsec/issues/108#issuecomment-158428769
> https://github.com/OWASP/phpsec/issues/108#issuecomment-158418384
>
> They all presented quite strong arguments with code references that 
> the library,
>  even though  it is an incubator project, they mentioned it can 
> mislead potential users of the project to use it (which happened to them)
> They feel OWASP has a responsibility to not allow these projects to be 
> under OWASP Github and delete them
>
> While I argument that a lot of effort was put by volunteers, which 
> might not obtained the expected results , Andrew Carter argument back:
>
> /Could you confirm to me that you consider the feelings of your 
> volunteers and contributors more important than the security of the 
> applications developed by people trusting the OWASP namespace?/
>
> He presented a list of issues and also Sven the former contributor 
> agreed that sadly, the library should be taken down from Github,but 
> also the OWASP inventory (to be set as inactive)
>
> I cc Claudia so this could be taken internally with the staff as 
> PHPSEC is not the only inactive library under OWASP Github and it 
> definitely needs a clean up
>
> The point I want to bring up is that higher standards are definitely 
> needed to allow projects, but especially when these projects are 
> 'security libraries'.
>
> Unfortunately, even though volunteers are setting big efforts, I do 
> agree this is definitely not an excuse (as Andrew mentioned) to allow 
> them when people are trusting the OWASP name for security . Even if it 
> is an incubator project.
>
>
>
> Regards
>
> Johanna
>
>
>
>
>
>
>
>
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board

-- 
Jim Manico
Global Board Member
OWASP Foundation
https://www.owasp.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20151120/89fd98d5/attachment.html>


More information about the Owasp-board mailing list