[Owasp-board] Higher standards for accepting OWASP projects especially defender library projects

johanna curiel curiel johanna.curiel at owasp.org
Fri Nov 20 18:46:37 UTC 2015


I would recommend that we also consider the moving the project to in
proceed of completion.

Hi Claudia, the problem is that project is 'in completion' already, but it
has quality issues that won't allow the project to move to LAB . The
project is right now inactive.



On Fri, Nov 20, 2015 at 2:38 PM, Claudia Casanovas <
claudia.aviles-casanovas at owasp.org> wrote:

> We can proceed with moving the project as inactive due to arguments
> presented.
>
> I would recommend that we also consider the moving the project to in
> proceed of completion.
>
> This way the leader has an opportunity to make corrections and if needed
> restart the project all together.
>
> Sent from my iPhone
>
> On Nov 20, 2015, at 1:26 PM, johanna curiel curiel <
> johanna.curiel at owasp.org> wrote:
>
> Hi Jim
>
> Based on the arguments the users provided they find this library is not
> useful and it must be started from scratch
>
> They did not consider enough to set a warning which Sven has already done
>
> I think if a project is not using this space and is so insecure it should
> be taken down from the repository, it should be zipped and archived
>
> regards
>
> Johanna
>
> On Fri, Nov 20, 2015 at 2:23 PM, Jim Manico <jim.manico at owasp.org> wrote:
>
>> I think it's important we let folks know its out of date or is no longer
>> maintained. I think it's fair to "demote" this project.
>>
>> Rather than remove it from GitHub, I suggest just put a warning on the
>> GitHub page that it's no longer being maintained and has security issues.
>> Someday, someone may want to fork or update this.
>>
>> Aloha,
>> Jim
>>
>>
>>
>> On 11/20/15 12:09 PM, johanna curiel curiel wrote:
>>
>> Hi Leaders,
>>
>> There was a very interesting discussion regarding the OWASP PHPSEC
>> library.
>>
>> The issues brought by some users of the library (Andrew Carter, James
>> Titcumb, Katy Ereira and Sven Rautenberg (a former contributor)on the
>> github repository mailing list is that the library contains many security
>> issues ,
>> It has not being maintained for more than a year and it should be taken
>> down from  OWASP Github repository.
>>
>> https://github.com/OWASP/phpsec/issues/108#issuecomment-158447768
>> https://github.com/OWASP/phpsec/issues/108#issuecomment-158436572
>> https://github.com/OWASP/phpsec/issues/108#issuecomment-158428769
>> https://github.com/OWASP/phpsec/issues/108#issuecomment-158418384
>>
>> They all presented quite strong arguments with code references that
>> the library,
>>  even though  it is an incubator project, they mentioned it can mislead
>> potential users of the project to use it (which happened to them)
>> They feel OWASP has a responsibility to not allow these projects to be
>> under OWASP Github and delete them
>>
>> While I argument that a lot of effort was put by volunteers, which might
>> not obtained the expected results , Andrew Carter argument back:
>>
>> *Could you confirm to me that you consider the feelings of your
>> volunteers and contributors more important than the security of the
>> applications developed by people trusting the OWASP namespace?*
>>
>> He presented a list of issues and also Sven the former contributor agreed
>> that sadly, the library should be taken down from Github,but also the OWASP
>> inventory (to be set as inactive)
>>
>> I cc Claudia so this could be taken internally with the staff as PHPSEC
>> is not the only inactive library under OWASP Github and it definitely needs
>> a clean up
>>
>> The point I want to bring up is that higher standards are definitely
>> needed to allow projects, but especially when these projects are 'security
>> libraries'.
>>
>> Unfortunately, even though volunteers are setting big efforts, I do agree
>> this is definitely not an excuse (as Andrew mentioned) to allow them when
>> people are trusting the OWASP name for security . Even if it is an
>> incubator project.
>>
>>
>>
>> Regards
>>
>> Johanna
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> Owasp-board mailing listOwasp-board at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>
>> --
>> Jim Manico
>> Global Board Member
>> OWASP Foundationhttps://www.owasp.org
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20151120/185446e1/attachment-0001.html>


More information about the Owasp-board mailing list