[Owasp-board] Higher standards for accepting OWASP projects especially defender library projects
jim.manico at owasp.org
Fri Nov 20 18:23:22 UTC 2015
I think it's important we let folks know its out of date or is no longer
maintained. I think it's fair to "demote" this project.
Rather than remove it from GitHub, I suggest just put a warning on the
GitHub page that it's no longer being maintained and has security
issues. Someday, someone may want to fork or update this.
On 11/20/15 12:09 PM, johanna curiel curiel wrote:
> Hi Leaders,
> There was a very interesting discussion regarding the OWASP PHPSEC
> The issues brought by some users of the library (Andrew Carter, James
> Titcumb, Katy Ereira and Sven Rautenberg (a former contributor)on the
> github repository mailing list is that the library contains many
> security issues ,
> It has not being maintained for more than a year and it should be
> taken down from OWASP Github repository.
> They all presented quite strong arguments with code references that
> the library,
> even though it is an incubator project, they mentioned it can
> mislead potential users of the project to use it (which happened to them)
> They feel OWASP has a responsibility to not allow these projects to be
> under OWASP Github and delete them
> While I argument that a lot of effort was put by volunteers, which
> might not obtained the expected results , Andrew Carter argument back:
> /Could you confirm to me that you consider the feelings of your
> volunteers and contributors more important than the security of the
> applications developed by people trusting the OWASP namespace?/
> He presented a list of issues and also Sven the former contributor
> agreed that sadly, the library should be taken down from Github,but
> also the OWASP inventory (to be set as inactive)
> I cc Claudia so this could be taken internally with the staff as
> PHPSEC is not the only inactive library under OWASP Github and it
> definitely needs a clean up
> The point I want to bring up is that higher standards are definitely
> needed to allow projects, but especially when these projects are
> 'security libraries'.
> Unfortunately, even though volunteers are setting big efforts, I do
> agree this is definitely not an excuse (as Andrew mentioned) to allow
> them when people are trusting the OWASP name for security . Even if it
> is an incubator project.
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
Global Board Member
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-board