[Owasp-board] Let's stand together against DCMA and similar laws

Tiffany Long tiffany.long at owasp.org
Thu Aug 11 21:21:28 UTC 2016


Hey Johanna, I don't want any confusion so I copied the emai and will
answer in line in red, this way it is easy to follow on all email  systems.


Hi Tiffany

In answer to the steps described:

*>>The first step* is for the group of you asking for the committee to
write a proposal
We have set this proposal as a wiki page here:
https://www.owasp.org/index.php/Committee_DMCA1201
This is fine, but unfortunately it does not follow the requirements
outlined by the Committees 2.0 document.  The document says:

*"At any point in time, a community member may propose a new committee via
the OWASP Leaders List stating their rationale and desired scope for
creating a new committee. , ..."*

This is why I explained that the proposal must A) follow this procedure and
not be a wiki page and B) cautioned y'all to consider widening the scope of
the committee. The Committees 2.0 process was set forth to ensure that
OWASP follows our Core Values
<https://tracking.cirrusinsight.com/31d051c7-d0ce-4703-8a9d-6c31bdb5a856/owasp-org-index-php-about-the-open-web-application-security-project>
in
order to achieve our Core Purpose
<https://tracking.cirrusinsight.com/31d051c7-d0ce-4703-8a9d-6c31bdb5a856/owasp-org-index-php-about-the-open-web-application-security-project1>.
Not following the rules put forth violates our values of being an Open and
Global organization. Selectively enforcing them clouds our transparency and
makes future Innovation more difficult.

The core value of Innovation is also why I suggested the purpose of
the committee be broader.  There will be other actions that the committee
will wish to take, the committee could put OWASP in a leadership position
with regards to DRM and Privacy in the security space.

*>>The second step* is to submit it to the leaders' list for discussion.
This is happening right now as we write
The goal is not only this action but:
The major purpose to *support and protect Researchers Who Investigate
Browsers.*
Now this action is asking t OWASP board to sign as an organisation and not
just individual members.
We don't know if any other actions against researchers that will happen
in the future and in which form , but then, we will define those actions
when they happen. Right now is to sign the signatories as OWASP
organization.
Unfortunately, there is no clear proposal here. The closest thing is a wiki
page that has not been suggested at the top of the conversation and
therefore there are a number of people currently excluded form the
conversation.  The proposal should be a stand alone conversation and
contained in the very first email.  The subject line should clearly note
that the conversation is about the forming of a new committee.  Remember,
everything we do must be determined by our core values.  We must ensure
Openness and that is done by following the established guidelines.

The goal is listed as
<https://tracking.cirrusinsight.com/31d051c7-d0ce-4703-8a9d-6c31bdb5a856/owasp-org-index-php-committee-dmca1201>
"*Have OWASP as an organisation, not just individuals, officially support
to protect researchers by being part of the signatories as an organization.*"
 Once again, the goal to have OWASP sign on to this support document
is laudatory, but  Privacy and DRM is a much larger topic and I am sure
OWASP should say much more on it.  Therefore I would strongly suggest that
a healthy and effective committee would have a larger mission than this one
action item. Once this is achieved the committee would no longer exist
if the scope is defined so narrowly. Why go throught this process every
time we want OWASP to act when a standing committee could do it all much
faster?

>>This conversation must take long enough for membership to take part.  No
limit is listed on the Committees 2.0 document, but it HAS to be longer
that 24 hours to accommodate our global membership.

Agree, in the committee creation wiki document it mentions 7 days. We can
try to keep alive the conversion and allow other members to participate
until the board meeting on the 23rd.

Actually, the only part of the process that MUST take 7 days is the call
for members.  You have the freedom to set reasonable boundaries around this
conversation.  I would argue that 3 days or until the conversation peters
out is a pretty accessible answer.

*" If no conflict
<https://tracking.cirrusinsight.com/31d051c7-d0ce-4703-8a9d-6c31bdb5a856/owasp-org-index-php-governance-owasp-committees>
is determined to exist, the Board will initiate a public call for OWASP
members interested in committee membership, via the OWASP Community mailing
list, with a seven day time window."*


*>>The third step* is to submit to the board.
I think we will do this once the 7 days have passed or wait the next Board
meeting which gives us plenty of time
Next OWASP meeting is August 23rd, and this is the moment we will submit
the proposal of approving the committee including proving an official
letter as an Organisation agains the DMCA act.

You may wait should you choose to.   You asked if it could get through more
quickly; that is possible as well.

Importantly here, you are only requesting that the board create a
committee.  That means that the committee does not yet exist to present the
board with a letter.  That letter must come THROUGH the committee AFTER the
call for members.  The reason for these rules is to give the community time
to gather behind the effort and to prevent particular members
from haring off to do something the community does not agree with.  You
yourself have called for such controls in the past 2 months, it is
important that we follow the guidelines set forth by the organization.


*>>The forth step* is for the board (probably through me) to release a call
for committee members.
I think this is already happening right now. You can help us set out the
word by releasing a call and social media, so people can join, but so far
only *OWASP paying members *can actually be part of the committee. As
supporters in case the person is not an OWASP member, they can set their
name under the Supporter section of the wiki page
https://www.owasp.org/index.php/Committee_DMCA1201#Supporters

No, this is not happening.  A call for committee members can only happen
after the board approves the committee.  These steps
<https://tracking.cirrusinsight.com/31d051c7-d0ce-4703-8a9d-6c31bdb5a856/owasp-org-index-php-governance-owasp-committees1>
have been delineated for a reason and as such should be followed until
changed.  Otherwise any small part of the group could determine changes to
the organization without comment from the rest of the community. These
steps cannot take place when only one part of the world is awake, and they
cannot take place simultaneously.

I totally understand that this is exciting and greatly wanted, but the
actions to put something in motion that has a ton of high-visibility
support must be exactly the same we want to take place for actions that
have very little support in the community.  This is how we adhere to our
core value of radical transparency. Transparent rules have been set forth,
they must be followed.

This is why I broke the process down for this thread so that it is clear
and easy to do.  I want to facilitate this, but we must follow the
guidelines.


If this 'call for committee' members requires at least 5 OWASP members and
we already have 5 which is the minimum.Bsed on this we can actually submit
a proposal.

First, The call for committee members has not gone out yet, it goes out
through the board likely by way of the community manager.  This is to
ensure that everyone has a chance and that the call is impartial. We have a
transparent process, we need to stick to it rather than reinventing the
wheel in such a way that transparency is compromised.

Second, before the committee can submit anything it has to MEET and all
members have to have a chance to be there.  So far the global community has
not even had the chance to ponder a new committee.

Of course the more members that want to join the better, but I hope we do
make this too bureaucratic otherwise we loose momentum with regards the
DMCA signatories.

I think the most important thing is that OWASP remain true to our core
values and focus on protecting our transparency.  This whole process can be
completed in 2.5 weeks easily.  Forming a committee that has the ability to
put forth policy and activism suggestions for the foreseeable future is far
more important that the small possibility of missing one opportunity.  If
this goal is truly worthy of putting all of our collective might behind,
doing it the correct and transparent way is the only real choice.
Attempting to re-litigate the rules over and over until they are changed
will only take time from the process and alienate supporters.

Committees wield real power and have the opportunity to speak for thousands
of OWASPers.  I do not think that 2 weeks much to ask form effective,
supported committees.
Running ahead, with no clear goal and not following the process that was
voted into existence by the board will only alienate many in our community
and undermine future efficacy.

For example, a committee not only has the right to ask OWASP to be
signatories, but to direct press releases and draft the responses to future
advocacy activities.


Tiffany Long
Community Manager

On Thu, Aug 11, 2016 at 1:15 PM, johanna curiel curiel <
johanna.curiel at owasp.org> wrote:

> Hi Tiffany
>
> In answer to the steps described:
>
> *>>The first step* is for the group of you asking for the committee to
> write a proposal
> We have set this proposal as a wiki page here:
> https://www.owasp.org/index.php/Committee_DMCA1201
>
> *>>The second step* is to submit it to the leaders' list for discussion.
> This is happening right now as we write
> The goal is not only this action but:
> The major purpose to *support and protect Researchers Who Investigate
> Browsers.*
> Now this action is asking t OWASP board to sign as an organisation and not
> just individual members.
> We don't know if any other actions against researchers that will happen
> in the future and in which form , but then, we will define those actions
> when they happen. Right now is to sign the signatories as OWASP
> organization.
>
> >>This conversation must take long enough for membership to take part.
> No limit is listed on the Committees 2.0 document, but it HAS to be longer
> that 24 hours to accommodate our global membership.
>
> Agree, in the committee creation wiki document it mentions 7 days. We can
> try to keep alive the conversion and allow other members to participate
> until the board meeting on the 23rd.
>
>
> *>>The third step* is to submit to the board.
> I think we will do this once the 7 days have passed or wait the next Board
> meeting which gives us plenty of time
> Next OWASP meeting is August 23rd, and this is the moment we will submit
> the proposal of approving the committee including proving an official
> letter as an Organisation agains the DMCA act.
>
> *>>The forth step* is for the board (probably through me) to release a
> call for committee members.
> I think this is already happening right now. You can help us set out the
> word by releasing a call and social media, so people can join, but so far
> only *OWASP paying members *can actually be part of the committee. As
> supporters in case the person is not an OWASP member, they can set their
> name under the Supporter section of the wiki page
> https://www.owasp.org/index.php/Committee_DMCA1201#Supporters
>
>
> If this 'call for committee' members requires at least 5 OWASP members and
> we already have 5 which is the minimum.Bsed on this we can actually submit
> a proposal.
>
> Of course the more members that want to join the better, but I hope we do
> make this too bureaucratic otherwise we loose momentum with regards the
> DMCA signatories.
>
>
>
> On Thu, Aug 11, 2016 at 3:43 PM, Kevin W. Wall <kevin.w.wall at gmail.com>
> wrote:
>
>> Tiffany,
>>
>> I think Johanna was referring to this link:
>> https://www.owasp.org/index.php/Committee_DMCA1201
>>
>> -kevin
>> --
>> Blog: http://off-the-wall-security.blogspot.com/.   | Twitter:
>> @KevinWWall
>> NSA: All your crypto bit are belong to us.
>>
>
>
>
> --
> Johanna Curiel
> OWASP Volunteer
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20160811/9fc0cec7/attachment-0001.html>


More information about the Owasp-board mailing list