[Owasp-board] Discussion on Proposal 4

Jim Manico jim.manico at owasp.org
Fri Oct 9 20:52:09 UTC 2015


Tobias,

I have read all of the conversation and discussion carefully an I voted 
YES on all 11 of these proposals.

- Jim

On 10/9/15 10:49 PM, Tobias wrote:
> As our mailing-list got a bit swamped, this might have got lost in the 
> hundred voting emails, do we have any further discussion elements on 
> this one?
> And if people like vote on this, can they please confirm that they 
> have at least acknowledged this discussion when casting their vote?
> Thanks, Tobias
>
>
> On 09/10/15 14:29, Andrew van der Stock wrote:
>> At the moment, and I would love to hear from the large project 
>> leaders here too, is that prior to this initiative, it was too hard 
>> for projects to spend money on anything really useful.
>>
>> I worked with Sam and applied for DHS grants expecting to be able to 
>> take some time off to work on the Developer Guide. The brouhaha was 
>> so much that I never felt I could use the granted DHS grant money 
>> granted specifically for us to work on the Developer Guide to work on 
>> the Developer Guide. In the end, I used some of the funds to go 
>> AppSec USA 2013 to try and build some community, but was put into a 
>> really small room, and I ended up speaking to 10 folks who already 
>> knew about the Dev Guide. I got more out of the Project Summit than I 
>> did out of my talk.
>>
>> I don't want to get stuck into the past problems as we're trying to 
>> solve a general problem here, but giving new projects $500 when it's 
>> really hard for them to spend that money on anything useful is ... 
>> another form of ring fencing.
>>
>> I am prepared to be proven wrong, but I would hate for $500 * 130 = 
>> $65k to be so thinly spread that no one project can't do anything 
>> useful with it, but all projects as a whole have $65k less than they 
>> do today. This is the problem with the entire Community Engagement 
>> Funding, which unless you knew it existed, also doesn't get spent. 
>> You've already used CEF as an example of projects not spending money 
>> in previous go arounds on this topic.
>>
>> My view right now is not to vote yes on this one until we have a 
>> really good discussion about eliminating barriers for projects to 
>> spend their funds. This might need to be done later with a second 
>> proposal to work out a perpetual project summit budget, or 
>> alternative ideas such as VPS credits with our labs solution.
>>
>> thanks
>> Andrew
>>
>>
>> On Fri, Oct 9, 2015 at 1:10 PM, Josh Sokol <josh.sokol at owasp.org 
>> <mailto:josh.sokol at owasp.org>> wrote:
>>
>>     Here is the current text for proposal 4:
>>
>>     *Upon creation of a new project or chapter, as long as they have
>>     at least two leaders they will be allocated a $500 budget to
>>     begin with.*
>>
>>     _*Tobias:*_
>>     COMMENT: I have been thinking a bit more on Michael's comment
>>     last night to reward activity. And I think some reward mechanism
>>     for chapter activity and project status would be right. IMO we
>>     should be consistent and apply the same criteria for "active" as
>>     we did in proposal 3.
>>
>>     _*Josh:*_
>>     I disagree here.  The biggest struggle for new chapter and
>>     project leaders is getting funding. We need to eliminate that
>>     struggle.  Obviously, chapters and projects are still subject to
>>     requirements and approval by our ops team, as they are today, and
>>     that should weed out any issues. Also, think about the current
>>     value of being an OWASP chapter or project leader.  If our goal
>>     is to attract more of these types of people to OWASP, then $500
>>     seems like a pretty small amount in the grand scheme of things to
>>     incentivize them to do so.
>>
>>     _*Tobias:*_
>>     Noted. I can see your point.
>>     But, we may have a different perception on the requirements and
>>     approval process by the ops team to create a new chapter/project.
>>     In my understanding, today, the barrier to setting up a chapter
>>     or project is intentionally very very low. Close to zero.
>>     Basically anyone can do it with close to zero evidence. So, I am
>>     here a bit more on the side of caution. My concern is to manage
>>     the potential risk of abuse. Call it "fiduciary ...".  I trust
>>     our community, but independent of trust, we also are responsible
>>     (and legally obliged) to put sufficient controls in place before
>>     releasing charity funds. With an active chapter or project there
>>     are at least some community review controls in place. I am
>>     concerned that we would not fulfil our fiduciary duty of
>>     protecting foundation money against fraud risks if we assign
>>     money immediately without the need for the chapter/project to be
>>     active. That is the reason why I proposed this alternative.
>>
>>     Do you and others think I am overprotective?
>>
>>     It would be helpful for me to hear some further board members'
>>     opinion on that before moving to a vote.
>>
>>     (On a note: Thinking about it, another way to achieve a higher
>>     minimum control of expenses for new projects could be to add some
>>     extra review for a new chapter/project expense (e.g. by the ops
>>     team, or maybe an active neighbour chapter) before we sign-off on
>>     expenses.)
>>
>>     _*Josh:*_
>>     The barrier may be low, but it is definitely not zero.  Noreen
>>     provided a bit of insight into her process for vetting chapter
>>     leaders at the Leader Sessions at AppSec.  She looks at resumes,
>>     loosely looks for associated references, etc.  We also have
>>     qualifications around the locations for new Chapters. I'm not as
>>     familiar as the process for Projects, but ultimately I don't
>>     think any of that matters much. Putting money in an account is no
>>     different than what happens today.  What matters are the controls
>>     around how that money gets spent.  Personally, I think you are
>>     being too overprotective here and we have controls in place to
>>     address your concern, but I'm open to the opinions of others.
>>
>>     ~josh
>>
>>     _______________________________________________
>>     Owasp-board mailing list
>>     Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
>>     https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>
>>
>>
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
>
>
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board

-- 
Jim Manico
Global Board Member
OWASP Foundation
https://www.owasp.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20151009/31d0eb33/attachment.html>


More information about the Owasp-board mailing list