[Owasp-board] [Owasp-leaders] Higher standards for accepting OWASP projects especially defender library projects

johanna curiel curiel johanna.curiel at owasp.org
Fri Nov 20 22:48:51 UTC 2015


Hi Claudia

This should include a clear Label at the GITHUB repository that the project
is also inactive

regards

Johanna

On Fri, Nov 20, 2015 at 5:34 PM, Abdullahi Arabo <abdullahi.arabo at owasp.org>
wrote:

> I agree it is best to make it inactive
>
>
> On Friday, 20 November 2015, Claudia Casanovas <
> claudia.aviles-casanovas at owasp.org> wrote:
>
>> If there are no objections I will move the project to inactive at this
>> time.
>>
>> Please let me know if you have any questions or concerns.
>>
>> Thank you
>>
>> On Fri, Nov 20, 2015 at 10:46 AM, johanna curiel curiel <
>> johanna.curiel at owasp.org> wrote:
>>
>>> I would recommend that we also consider the moving the project to in
>>> proceed of completion.
>>>
>>> Hi Claudia, the problem is that project is 'in completion' already, but
>>> it has quality issues that won't allow the project to move to LAB . The
>>> project is right now inactive.
>>>
>>>
>>>
>>> On Fri, Nov 20, 2015 at 2:38 PM, Claudia Casanovas <
>>> claudia.aviles-casanovas at owasp.org> wrote:
>>>
>>>> We can proceed with moving the project as inactive due to arguments
>>>> presented.
>>>>
>>>> I would recommend that we also consider the moving the project to in
>>>> proceed of completion.
>>>>
>>>> This way the leader has an opportunity to make corrections and if
>>>> needed restart the project all together.
>>>>
>>>> Sent from my iPhone
>>>>
>>>> On Nov 20, 2015, at 1:26 PM, johanna curiel curiel <
>>>> johanna.curiel at owasp.org> wrote:
>>>>
>>>> Hi Jim
>>>>
>>>> Based on the arguments the users provided they find this library is not
>>>> useful and it must be started from scratch
>>>>
>>>> They did not consider enough to set a warning which Sven has already
>>>> done
>>>>
>>>> I think if a project is not using this space and is so insecure it
>>>> should be taken down from the repository, it should be zipped and archived
>>>>
>>>> regards
>>>>
>>>> Johanna
>>>>
>>>> On Fri, Nov 20, 2015 at 2:23 PM, Jim Manico <jim.manico at owasp.org>
>>>> wrote:
>>>>
>>>>> I think it's important we let folks know its out of date or is no
>>>>> longer maintained. I think it's fair to "demote" this project.
>>>>>
>>>>> Rather than remove it from GitHub, I suggest just put a warning on the
>>>>> GitHub page that it's no longer being maintained and has security issues.
>>>>> Someday, someone may want to fork or update this.
>>>>>
>>>>> Aloha,
>>>>> Jim
>>>>>
>>>>>
>>>>>
>>>>> On 11/20/15 12:09 PM, johanna curiel curiel wrote:
>>>>>
>>>>> Hi Leaders,
>>>>>
>>>>> There was a very interesting discussion regarding the OWASP PHPSEC
>>>>> library.
>>>>>
>>>>> The issues brought by some users of the library (Andrew Carter, James
>>>>> Titcumb, Katy Ereira and Sven Rautenberg (a former contributor)on the
>>>>> github repository mailing list is that the library contains many security
>>>>> issues ,
>>>>> It has not being maintained for more than a year and it should be
>>>>> taken down from  OWASP Github repository.
>>>>>
>>>>> https://github.com/OWASP/phpsec/issues/108#issuecomment-158447768
>>>>> https://github.com/OWASP/phpsec/issues/108#issuecomment-158436572
>>>>> https://github.com/OWASP/phpsec/issues/108#issuecomment-158428769
>>>>> https://github.com/OWASP/phpsec/issues/108#issuecomment-158418384
>>>>>
>>>>> They all presented quite strong arguments with code references that
>>>>> the library,
>>>>>  even though  it is an incubator project, they mentioned it can
>>>>> mislead potential users of the project to use it (which happened to them)
>>>>> They feel OWASP has a responsibility to not allow these projects to be
>>>>> under OWASP Github and delete them
>>>>>
>>>>> While I argument that a lot of effort was put by volunteers, which
>>>>> might not obtained the expected results , Andrew Carter argument back:
>>>>>
>>>>> *Could you confirm to me that you consider the feelings of your
>>>>> volunteers and contributors more important than the security of the
>>>>> applications developed by people trusting the OWASP namespace?*
>>>>>
>>>>> He presented a list of issues and also Sven the former contributor
>>>>> agreed that sadly, the library should be taken down from Github,but also
>>>>> the OWASP inventory (to be set as inactive)
>>>>>
>>>>> I cc Claudia so this could be taken internally with the staff as
>>>>> PHPSEC is not the only inactive library under OWASP Github and it
>>>>> definitely needs a clean up
>>>>>
>>>>> The point I want to bring up is that higher standards are definitely
>>>>> needed to allow projects, but especially when these projects are 'security
>>>>> libraries'.
>>>>>
>>>>> Unfortunately, even though volunteers are setting big efforts, I do
>>>>> agree this is definitely not an excuse (as Andrew mentioned) to allow them
>>>>> when people are trusting the OWASP name for security . Even if it is an
>>>>> incubator project.
>>>>>
>>>>>
>>>>>
>>>>> Regards
>>>>>
>>>>> Johanna
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Owasp-board mailing listOwasp-board at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>
>>>>>
>>>>> --
>>>>> Jim Manico
>>>>> Global Board Member
>>>>> OWASP Foundationhttps://www.owasp.org
>>>>>
>>>>>
>>>>
>>>
>>
>>
>> --
>>
>>
>> Claudia Aviles-Casanovas
>> Project Coordinator
>> Phone:973-288-1697
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20151120/65c1b8d0/attachment.html>


More information about the Owasp-board mailing list