[Owasp-board] [Governance] Stepping down from Project Reviews
Jim Manico
jim.manico at owasp.org
Wed Sep 2 20:24:36 UTC 2015
Johanna,
This is a *very* serious manner. Manipulating reviews of projects I
manage would be grounds to have me dismissed from the board. If you are
seriously concerned that my involvement would lead ethical problems of
that nature, then I encourage you to talk to other board members and
escalate this issue. Corruption of that nature is very serious and would
be a breach of my fiduciary duty to the OWASP Foundation.
My main concern (and my sole reason for involvement) is that OWASP
presents its catalog of projects in a fair way. In the past, we held up
projects as "Flagship" that had very serious quality issues. I do not
feel that is the case any more.
Is there anything else you are concerned with while we are on the topic
of ethics and project review?
- Jim
On 9/2/15 10:17 AM, johanna curiel curiel wrote:
> As long as your role is clear in this process, including no influence
> in who reviews your projects😜
>
> cheers
>
> Johanna
>
> On Wed, Sep 2, 2015 at 4:09 PM, Jim Manico <jim.manico at owasp.org
> <mailto:jim.manico at owasp.org>> wrote:
>
> Johanna,
>
> Transparency wins here. :) Claudia is leading this process and
> asked me to help. I am super happy to do so. Everyone is invited;
> the invite is on the OWASP global calendar. The discussions will
> all continue on public on the project list. When you were lead you
> asked me questions and asked me for feedback on many occasions -
> I'd like to offer that same help to Claudia since I've been around
> OWASP projects for many years.
>
> The line I draw is that while I am happy to help comment on the
> review process, I do not actually do any reviews because I am a
> project leader of several projects.
>
> Does that line seem reasonable, Johanna?
>
> Aloha,
>
> --
> Jim Manico
> Global Board Member
> OWASP Foundation
> https://www.owasp.org
> Join me at AppSecUSA 2015!
>
>
> On 9/2/15 10:03 AM, johanna curiel curiel wrote:
>> Jim
>>
>> Improvements are always possible.
>>
>> You are a member of the board and are leading many projects.
>>
>> Conflict of interest is at high stake in this position. That is a
>> ticklish zone.
>>
>> cheers
>>
>> Johanna
>>
>>
>>
>>
>> On Wed, Sep 2, 2015 at 3:31 PM, Jim Manico <jim.manico at owasp.org
>> <mailto:jim.manico at owasp.org>> wrote:
>>
>> > I hope you understand that we did try many things for
>> automation.
>>
>> Of course! Life is an evolution. We're going to keep working
>> on it! :)
>>
>> > In Openduck all projects are registered and have a 'review
>> this project' form where you can provide a start and
>> comments. We tried that approach.We made google forms, we
>> made google sheets, we built simple criteria.
>>
>> This is all great, I'm a big fan of openduck. We're likely
>> going to keep using it. And we will also put some fresh eyes
>> on it to see if we can improve.
>>
>> > A JIRA donated with the help of Norman Yuen to create tasks
>> and follow ups, Jonathan Johnson who setup a server with
>> automated builds, the SWAMP to built projects ...We did try
>> automation and a lot.
>>
>> Great stuff! :)
>>
>> > Before you go and attempt a new thing lets share experience
>> and not repeat same approaches.
>>
>> Johanna, don't worry we're all professionals. Good folks will
>> be looking at this. We certainly do not want to re-do things
>> that do not need to be re-done.
>>
>> > I hope you understand that after spending 2 years in
>> reviews the main problem in my opinion based on my
>> experience, is getting the right people to spend time to review.
>>
>> I understand that issue. I hope to find a more streamlined
>> way to on-board reviewers for one or two reviews. I have a
>> knack for getting folks involved. :) We're on it.
>>
>> > Is just not simple.
>>
>> Hahaha! Nothing is simple at OWASP, I agree!
>>
>> > Open source security projects are not simple to test or use
>> *this part cannot be automated*. If you are not a developer
>> with some security background you cannot even test more than
>> half of them. Every project has there way to build and install.
>>
>> Well said, I agree.
>>
>> > The automation is already there for handling the review
>> once is done.
>>
>> I hear you. We've set a meeting to review everything in place
>> and posted that to the project review list. There might be
>> some things we can improve, maybe not.
>>
>> > We must create incentives for people to go and review.
>> People that have the knowledge capable of reviewing. Example
>> : If you are not a (Java)developer how can you test and
>> review CRSFGuard, Dependency, Appsensor? HTML sanitiser? If
>> you are not a .NET developer how can you use webgoat.NET or
>> O2 project?
>>
>> I agree, that is something that we plan to discuss.
>>
>> > I hope you get my point.
>>
>> Completely. As OWASP volunteers step away from important
>> initiatives, that is ok! That is part of the flow of OWASP.
>> But as some step away, others will step in and take over and
>> try to continue that work. I hope you are ok with that and
>> you get my points here that we are going to try to make
>> improvements where we can and take this seriously!
>>
>> And Johanna, again, you did amazing work. There are a few
>> areas I think can be improved, but I was always hesitant to
>> dive into project review that much because I did not want to
>> be a board member who was interfering with your work.
>>
>> I respect that fact that you want to step away. There are
>> tons of other things to do at OWASP that would make your
>> happier. I can tell by your email the last month or two that
>> you are unhappy with OWASP and that certainly effects me. I
>> take everything regarding OWASP very personally, especially
>> from super active volunteers like yourself.
>>
>> So when you say, I plan to step away this time, I think you
>> really mean it. Since I'm the board liaison for projects, I'm
>> going to step in and help Claudia keep this ship sailing. The
>> only thing that is constant is change and the way reviews are
>> done will certainly change in some ways as a different crew
>> take over. I hope that is ok with you. It's just the natural
>> progression of things and no disrespect is meant.
>>
>> Aloha,
>> Jim Manico
>>
>>>
>>> And yes I do appreciated all the support you have personally
>>> given me and the Curacao community. It has been a great
>>> OWASP push from you for caribbean region .
>>>
>>> Cheers and Aloha
>>>
>>> Johanna
>>>
>>> On Wed, Sep 2, 2015 at 2:52 PM, Jim Manico
>>> <jim.manico at owasp.org <mailto:jim.manico at owasp.org>> wrote:
>>>
>>> Johanna,
>>>
>>> I want you to know that your work is going to continue.
>>> We're looking to automate more of the review process, we
>>> going to onboard new reviewers carefully and also take a
>>> second look at the processes in place. I hope this is a
>>> good thing in your mind. I personally think it's a very
>>> important part of the foundation and I've thanked you
>>> more times than I can count.
>>>
>>> I even flew to your home island to give you your WASPY
>>> award in person. Don you know why I did that? No it was
>>> not for vacation, I live on a vacation island already.
>>> ;) I flew to Curacao because I believe in what you are
>>> doing and wanted to thank you in person.
>>>
>>> Project reviews and projects in general are very
>>> important to the foundation and I plan to assist Claudia
>>> and staff as they see fit to keep the review party going.
>>>
>>> I would not be able to even say that if it were not for
>>> the massive efforts from you over the past few years.
>>> Thank you!
>>>
>>> Aloha,
>>> --
>>> Jim Manico
>>> Global Board Member
>>> OWASP Foundation
>>> https://www.owasp.org <https://www.owasp.org/>
>>> Join me at AppSecUSA <http://appsecusa.org/> 2015!
>>>
>>> On Sep 2, 2015, at 8:41 AM, Josh Sokol
>>> <josh.sokol at owasp.org <mailto:josh.sokol at owasp.org>> wrote:
>>>
>>>> Johanna,
>>>>
>>>> You have both my attention and my support with this
>>>> initiative and I agree that it's, at least at this
>>>> point in time, a far better use of our time than in
>>>> trying to wrangle with project reviews and whatnot.
>>>> You did a fantastic job with those for a very long time
>>>> and with little recognition for it, though I do think
>>>> you won a WASPY for it, didn't you? At least that's
>>>> something. In any case, let's figure out how to build
>>>> those stairs to reach those bananas. If it requires
>>>> changing some policies to make funds more accessible,
>>>> then I can definitely help to push those changes. What
>>>> policies currently stand in your way (ie. what is the
>>>> rationale for being told "no")? What new policies would
>>>> be reasonable. What is a reasonable approach to making
>>>> sure that limited funds are spent on the things that
>>>> matter most and in alignment with the OWASP mission?
>>>>
>>>> ~josh
>>>>
>>>> On Wed, Sep 2, 2015 at 12:05 PM, johanna curiel curiel
>>>> <johanna.curiel at owasp.org
>>>> <mailto:johanna.curiel at owasp.org>> wrote:
>>>>
>>>> >I certainly cannot speak for all Projects, but every
>>>> time I tried to get the things I needed for a
>>>> project, I got either a deny or a big silence. so
>>>> the first thing needed is, if there is money
>>>> available, more communication and an easy way to
>>>> get to it[....] In summary, my experience in
>>>> getting money or support for OWASP projects is bad.
>>>> IMHO, this is why so many projects die.
>>>> [...]And lastly, I did not compare Chapters and
>>>> Projects. I did compare the treatment that they get
>>>> from OWASP.
>>>>
>>>> You are not the only one with the same issues. I
>>>> have the same experience too and as also many others.
>>>>
>>>> Let's accept that we have a problem and no, I don't
>>>> blame the Board for that, but I'm asking your
>>>> attention and we have to admit that we need to work
>>>> on this. And the person asking your attention is a
>>>> volunteer who has dedicated her time the last 3
>>>> years trying to improve a system and contributing
>>>> in multiple activities, I think I deserve a small
>>>> acknowledgement for that.
>>>>
>>>> This is part of the evolution OWASP is having from
>>>> small to bigger organisation. A natural process.
>>>> From US to Global.
>>>>
>>>> What I mean with a good platform in place is more
>>>> than money in the community fund.
>>>>
>>>> That money feels like a banana hanging too high to
>>>> reach and no stairs to reach it for project leaders.
>>>>
>>>> Platform means communication, managing resources ,
>>>> support and much more. And money helps but a good
>>>> plan is necessary.
>>>>
>>>> It means having the stair (the platform) to make
>>>> available those funds, so they become available.
>>>>
>>>> And I know that the problem is we have not work on
>>>> creating the 'stair'.
>>>>
>>>> This is where I want to dedicate my efforts so I
>>>> will submit to form a committee to create the stair
>>>> for better development of OWASP projects. I care
>>>> about them, I use them I want to see fair
>>>> opportunities for everyone.
>>>>
>>>>
>>>> On Wed, Sep 2, 2015 at 11:42 AM, Lucas Ferreira
>>>> <lucas.ferreira at owasp.org
>>>> <mailto:lucas.ferreira at owasp.org>> wrote:
>>>>
>>>> Josh,
>>>>
>>>> I certainly cannot speak for all Projects, but
>>>> every time I tried to get the things I needed
>>>> for a project, I got either a deny or a big
>>>> silence. so the first thing needed is, if there
>>>> is money available, more communication and an
>>>> easy way to get to it.
>>>>
>>>> I will put here my experience. Others can say
>>>> if they face similar issues or not.
>>>>
>>>> First, as part of the
>>>> https://www.owasp.org/index.php/OWASP_Brasil_Manifesto,
>>>> I tried to get money to pay for a professional
>>>> public relations person/company to help us
>>>> promote the manifesto to the Brazilian
>>>> congress. I learnt the hard way (from
>>>> organizing AppSec conferences) that a good PR
>>>> person can make a real difference. At the time,
>>>> I asked for USD 2600 to pay the PR but could
>>>> not get the money.
>>>>
>>>> Second, as part of
>>>> https://www.owasp.org/index.php/OWASP_File_Hash_Repository,
>>>> I needed a server to use to deploy the initial
>>>> code and help collecting data. I also needed a
>>>> DNS entry. I ended up paying for the VM myself
>>>> and used my own private domain for the DNS
>>>> because I could not get it from OWASP.
>>>>
>>>> Lastly, as part of
>>>> https://www.owasp.org/index.php/OWASP_Portuguese_Language_Project,
>>>> we tried to get money to hire translators and
>>>> professional writers to work with the more tech
>>>> oriented volunteers with no luck.
>>>>
>>>> In summary, my experience in getting money or
>>>> support for OWASP projects is bad. IMHO, this
>>>> is why so many projects die.
>>>>
>>>> And just to be sure, unlike Johanna, I think
>>>> money is a big issue as it could be used to
>>>> remove some of the load from volunteers. An
>>>> example is the translation projects: we could
>>>> leverage the knowledge of our network of
>>>> volunteers, without requiring them to do all
>>>> the work, by relying on professional services.
>>>> So, the issue is to have money to buy the
>>>> services needed by the projects, from VMs to
>>>> professional services.
>>>>
>>>> And lastly, I did not compare Chapters and
>>>> Projects. I did compare the treatment that they
>>>> get from OWASP.
>>>>
>>>> Regards,
>>>>
>>>> Lucas
>>>>
>>>>
>>>> On Wed, Sep 2, 2015 at 5:06 PM Josh Sokol
>>>> <josh.sokol at owasp.org
>>>> <mailto:josh.sokol at owasp.org>> wrote:
>>>>
>>>> I believe Johanna said "It's not about
>>>> money". Every time I hear someone say that
>>>> it is, I cringe a little because I know
>>>> that we allocated $50,000 in Community
>>>> Engagement Funding this year to projects
>>>> alone and have $15,650 of that remaining
>>>> (https://owasp.org/index.php/Community_Engagement_-_Payments).
>>>> I also know that if there's a need that
>>>> goes beyond what is budgeted, we have ways
>>>> to make that happen outside of this
>>>> channel. For example, when Dinis asked for
>>>> $100,000 for a Project Summit, we said
>>>> "Give us a plan and we'll discuss."
>>>>
>>>> I also cringe when I hear people compare
>>>> the Projects to the Chapters or vice versa.
>>>> They are both unique and important to
>>>> OWASP. Both have needs that we need to
>>>> satisfy. Chapters have historically been
>>>> more successful in fundraising because of
>>>> the large volume of people involved with
>>>> them, but that doesn't make them better or
>>>> worse. Just different. Let's be honest,
>>>> the Chapter model of fundraising doesn't
>>>> really work for Projects. That's ok...we
>>>> just need to find other ways.
>>>>
>>>> So, let's assume that money is not an
>>>> issue. What are the needs that our Projects
>>>> have that OWASP is not currently
>>>> fulfilling. I don't claim to be an expert
>>>> on Projects. I don't routinely work with
>>>> them and the one project that I tried to
>>>> start at OWASP died a very quick death. It
>>>> was an issue with time and volunteerism,
>>>> though, and had nothing to do with the
>>>> OWASP platform. I understand and agree
>>>> that it's not about things you can get for
>>>> free like GitHub or wiki pages. So, what is
>>>> it? What do you need? We have an in-house
>>>> graphic designer. We have companies that
>>>> we work with for publishing. We hired a
>>>> full-time person to help with projects. If
>>>> there are needs that aren't being met here,
>>>> then what are they? What can OWASP do to
>>>> make Projects more successful?
>>>>
>>>> ~josh
>>>>
>>>> On Wed, Sep 2, 2015 at 9:39 AM, Lucas
>>>> Ferreira <lucas.ferreira at owasp.org
>>>> <mailto:lucas.ferreira at owasp.org>> wrote:
>>>>
>>>> Dear Johanna,
>>>>
>>>> it is very sad that you are stepping
>>>> down, but you nailed it when you said:
>>>>
>>>> "I hope that in the future there is a
>>>> clear perspective how to help projects
>>>> develop better. So far I have not seen
>>>> major initiatives directed on improving
>>>> a platform. A platform is not a wiki
>>>> page, not a github account, these
>>>> things are already free without OWASP
>>>> support."
>>>>
>>>> For a long time already, I have the
>>>> same feeling that OWASP is always
>>>> discussing about chapters and their
>>>> bank accounts and never about projects.
>>>> I just hope one day OWASP will be able
>>>> to see that projects are what makes
>>>> OWASP known and respected.
>>>>
>>>> I have talked to a few leaders of
>>>> open-source projects about bringing
>>>> their projects to OWASP and, in the
>>>> end, the feeling is that all they would
>>>> get is the ability to benefit from the
>>>> OWASP "brand". We should offer project
>>>> leaders more than the opportunity to
>>>> beg chapters for money.
>>>>
>>>> Regards and good luck,
>>>>
>>>> Lucas
>>>>
>>>> On Wed, Sep 2, 2015 at 4:19 PM johanna
>>>> curiel curiel <johanna.curiel at owasp.org
>>>> <mailto:johanna.curiel at owasp.org>> wrote:
>>>>
>>>> Members of the board ,
>>>>
>>>> I have decided to step down from
>>>> the project reviews activities.
>>>>
>>>> I have been doing continues reviews
>>>> the last 2 years, especially the
>>>> last year I was quite involved in a
>>>> major clean up in the project
>>>> inventory, together with other
>>>> members that participated in and
>>>> on/off basis.
>>>>
>>>> That does not mean I'll step down
>>>> from every activity I have been
>>>> working on the last years at OWASP.
>>>> Indeed, now I'll focus my attention
>>>> in those activities that I feel
>>>> have provided me with higher level
>>>> of reward and a grateful feeling.
>>>>
>>>> Unfortunately, I cannot say the
>>>> same for reviewing projects. The
>>>> greatest reward I had from that
>>>> activity is what I learned from
>>>> many project for the last 2 years,
>>>> not just looking, but download ,
>>>> testing and using them and
>>>> volunteering on their activities.
>>>>
>>>> It is a ticklish activity that
>>>> have provided me very little
>>>> satisfaction but disappointment.
>>>> Never seems to be enough even when
>>>> people have little idea how much
>>>> time is needed to use an open
>>>> source project , let alone
>>>> understand it. I'm a volunteer ,
>>>> not an OWASP employee. Lets clarify
>>>> that for people that might read this.
>>>>
>>>> I think Claudia , as her
>>>> predecessor, Kait-Disney did, can
>>>> surely help maintain
>>>> inactive/active projects
>>>> monitoring. Another ticklish
>>>> activity that we hear many
>>>> complains regarding inactive
>>>> projects wanted to keep alive.
>>>> Political driven necessities to
>>>> have wiki pages of empty projects,
>>>> thats what we finished and hope you
>>>> can continue for the sake of users.
>>>>
>>>> The actual situation is that
>>>> Project leaders are definitely on
>>>> their own, and they should
>>>> understand that: when it comes to
>>>> having a platform at OWASP for
>>>> developing projects, they have very
>>>> little support on this.
>>>>
>>>> It's not about money, is about a
>>>> platform, a process and a way to be
>>>> able to make a project a reality no
>>>> matter if you are in India,
>>>> Pakistan, or Africa. The inequality
>>>> between these worlds is very
>>>> obvious when we look at projects
>>>> in US or EU compare to 'developing
>>>> countries'. Big security companies
>>>> are not behind these leaders to
>>>> support them with time or resources.
>>>>
>>>> I hope that in the future there is
>>>> a clear perspective how to help
>>>> projects develop better. So far I
>>>> have not seen major initiatives
>>>> directed on improving a platform. A
>>>> platform is not a wiki page, not a
>>>> github account, these things are
>>>> already free without OWASP support.
>>>>
>>>> I think people hoping to secure
>>>> their web applications using OWASP
>>>> tools, can have better ways for
>>>> doing it if more energy is directed
>>>> towards supporting a better
>>>> structure for developing OWASP
>>>> projects.
>>>>
>>>> This is where my energy will be
>>>> from now on. Hopefully with the
>>>> right support.
>>>>
>>>>
>>>> Regards
>>>>
>>>> Johanna
>>>> _______________________________________________
>>>> Governance mailing list
>>>> Governance at lists.owasp.org
>>>> <mailto:Governance at lists.owasp.org>
>>>> https://lists.owasp.org/mailman/listinfo/governance
>>>>
>>>>
>>>> _______________________________________________
>>>> Governance mailing list
>>>> Governance at lists.owasp.org
>>>> <mailto:Governance at lists.owasp.org>
>>>> https://lists.owasp.org/mailman/listinfo/governance
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Governance mailing list
>>>> Governance at lists.owasp.org
>>>> <mailto:Governance at lists.owasp.org>
>>>> https://lists.owasp.org/mailman/listinfo/governance
>>>
>>>
>>
>> --
>> Jim Manico
>> Global Board Member
>> OWASP Foundation
>> https://www.owasp.org
>> Join me at AppSecUSA 2015!
>>
>>
>
>
--
Jim Manico
Global Board Member
OWASP Foundation
https://www.owasp.org
Join me at AppSecUSA 2015!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150902/e8550241/attachment-0001.html>
More information about the Owasp-board
mailing list