[Owasp-board] Let's stand together against DCMA and similar laws
josh.sokol at owasp.org
Thu Aug 11 21:28:55 UTC 2016
I agree with the intent behind Kevin's e-mail and would support a Board
discussion alongside Andrew and Tom.
I also agree that it is reasonable to give Board members a day or so (at
least) to respond. We've all got day jobs, familys, and need to sleep in
addition to our role as OWASP Board members.
On Thu, Aug 11, 2016 at 4:21 PM, Tiffany Long <tiffany.long at owasp.org>
> Hey Johanna, I don't want any confusion so I copied the emai and will
> answer in line in red, this way it is easy to follow on all email systems.
> Hi Tiffany
> In answer to the steps described:
> *>>The first step* is for the group of you asking for the committee to
> write a proposal
> We have set this proposal as a wiki page here:
> This is fine, but unfortunately it does not follow the requirements
> outlined by the Committees 2.0 document. The document says:
> *"At any point in time, a community member may propose a new committee via
> the OWASP Leaders List stating their rationale and desired scope for
> creating a new committee. , ..."*
> This is why I explained that the proposal must A) follow this procedure
> and not be a wiki page and B) cautioned y'all to consider widening the
> scope of the committee. The Committees 2.0 process was set forth to
> ensure that OWASP follows our Core Values
> <https://tracking.cirrusinsight.com/31d051c7-d0ce-4703-8a9d-6c31bdb5a856/owasp-org-index-php-about-the-open-web-application-security-project> in
> order to achieve our Core Purpose
> Not following the rules put forth violates our values of being an Open and
> Global organization. Selectively enforcing them clouds
> our transparency and makes future Innovation more difficult.
> The core value of Innovation is also why I suggested the purpose of
> the committee be broader. There will be other actions that the committee
> will wish to take, the committee could put OWASP in a leadership position
> with regards to DRM and Privacy in the security space.
> *>>The second step* is to submit it to the leaders' list for discussion.
> This is happening right now as we write
> The goal is not only this action but:
> The major purpose to *support and protect Researchers Who Investigate
> Now this action is asking t OWASP board to sign as an organisation and not
> just individual members.
> We don't know if any other actions against researchers that will happen
> in the future and in which form , but then, we will define those actions
> when they happen. Right now is to sign the signatories as OWASP
> Unfortunately, there is no clear proposal here. The closest thing is a
> wiki page that has not been suggested at the top of the conversation and
> therefore there are a number of people currently excluded form the
> conversation. The proposal should be a stand alone conversation and
> contained in the very first email. The subject line should clearly note
> that the conversation is about the forming of a new committee. Remember,
> everything we do must be determined by our core values. We must ensure
> Openness and that is done by following the established guidelines.
> The goal is listed as
> "*Have OWASP as an organisation, not just individuals, officially support
> to protect researchers by being part of the signatories as an organization.*"
> Once again, the goal to have OWASP sign on to this support document
> is laudatory, but Privacy and DRM is a much larger topic and I am sure
> OWASP should say much more on it. Therefore I would strongly suggest that
> a healthy and effective committee would have a larger mission than this one
> action item. Once this is achieved the committee would no longer exist
> if the scope is defined so narrowly. Why go throught this process every
> time we want OWASP to act when a standing committee could do it all much
> >>This conversation must take long enough for membership to take part.
> No limit is listed on the Committees 2.0 document, but it HAS to be longer
> that 24 hours to accommodate our global membership.
> Agree, in the committee creation wiki document it mentions 7 days. We can
> try to keep alive the conversion and allow other members to participate
> until the board meeting on the 23rd.
> Actually, the only part of the process that MUST take 7 days is the call
> for members. You have the freedom to set reasonable boundaries around this
> conversation. I would argue that 3 days or until the conversation peters
> out is a pretty accessible answer.
> *" If no conflict
> is determined to exist, the Board will initiate a public call for OWASP
> members interested in committee membership, via the OWASP Community mailing
> list, with a seven day time window."*
> *>>The third step* is to submit to the board.
> I think we will do this once the 7 days have passed or wait the next Board
> meeting which gives us plenty of time
> Next OWASP meeting is August 23rd, and this is the moment we will submit
> the proposal of approving the committee including proving an official
> letter as an Organisation agains the DMCA act.
> You may wait should you choose to. You asked if it could get through
> more quickly; that is possible as well.
> Importantly here, you are only requesting that the board create a
> committee. That means that the committee does not yet exist to present the
> board with a letter. That letter must come THROUGH the committee AFTER the
> call for members. The reason for these rules is to give the community time
> to gather behind the effort and to prevent particular members
> from haring off to do something the community does not agree with. You
> yourself have called for such controls in the past 2 months, it is
> important that we follow the guidelines set forth by the organization.
> *>>The forth step* is for the board (probably through me) to release a
> call for committee members.
> I think this is already happening right now. You can help us set out the
> word by releasing a call and social media, so people can join, but so far
> only *OWASP paying members *can actually be part of the committee. As
> supporters in case the person is not an OWASP member, they can set their
> name under the Supporter section of the wiki page
> No, this is not happening. A call for committee members can only happen
> after the board approves the committee. These steps
> have been delineated for a reason and as such should be followed until
> changed. Otherwise any small part of the group could determine changes to
> the organization without comment from the rest of the community. These
> steps cannot take place when only one part of the world is awake, and they
> cannot take place simultaneously.
> I totally understand that this is exciting and greatly wanted, but the
> actions to put something in motion that has a ton of high-visibility
> support must be exactly the same we want to take place for actions that
> have very little support in the community. This is how we adhere to our
> core value of radical transparency. Transparent rules have been set forth,
> they must be followed.
> This is why I broke the process down for this thread so that it is clear
> and easy to do. I want to facilitate this, but we must follow the
> If this 'call for committee' members requires at least 5 OWASP members and
> we already have 5 which is the minimum.Bsed on this we can actually submit
> a proposal.
> First, The call for committee members has not gone out yet, it goes out
> through the board likely by way of the community manager. This is to
> ensure that everyone has a chance and that the call is impartial. We have a
> transparent process, we need to stick to it rather than reinventing the
> wheel in such a way that transparency is compromised.
> Second, before the committee can submit anything it has to MEET and all
> members have to have a chance to be there. So far the global community has
> not even had the chance to ponder a new committee.
> Of course the more members that want to join the better, but I hope we do
> make this too bureaucratic otherwise we loose momentum with regards the
> DMCA signatories.
> I think the most important thing is that OWASP remain true to our core
> values and focus on protecting our transparency. This whole process can be
> completed in 2.5 weeks easily. Forming a committee that has the ability to
> put forth policy and activism suggestions for the foreseeable future is far
> more important that the small possibility of missing one opportunity. If
> this goal is truly worthy of putting all of our collective might behind,
> doing it the correct and transparent way is the only real choice.
> Attempting to re-litigate the rules over and over until they are changed
> will only take time from the process and alienate supporters.
> Committees wield real power and have the opportunity to speak for
> thousands of OWASPers. I do not think that 2 weeks much to ask form
> effective, supported committees.
> Running ahead, with no clear goal and not following the process that was
> voted into existence by the board will only alienate many in our community
> and undermine future efficacy.
> For example, a committee not only has the right to ask OWASP to be
> signatories, but to direct press releases and draft the responses to future
> advocacy activities.
> Tiffany Long
> Community Manager
> On Thu, Aug 11, 2016 at 1:15 PM, johanna curiel curiel <
> johanna.curiel at owasp.org> wrote:
>> Hi Tiffany
>> In answer to the steps described:
>> *>>The first step* is for the group of you asking for the committee to
>> write a proposal
>> We have set this proposal as a wiki page here:
>> *>>The second step* is to submit it to the leaders' list for discussion.
>> This is happening right now as we write
>> The goal is not only this action but:
>> The major purpose to *support and protect Researchers Who Investigate
>> Now this action is asking t OWASP board to sign as an organisation and
>> not just individual members.
>> We don't know if any other actions against researchers that will happen
>> in the future and in which form , but then, we will define those actions
>> when they happen. Right now is to sign the signatories as OWASP
>> >>This conversation must take long enough for membership to take part.
>> No limit is listed on the Committees 2.0 document, but it HAS to be longer
>> that 24 hours to accommodate our global membership.
>> Agree, in the committee creation wiki document it mentions 7 days. We can
>> try to keep alive the conversion and allow other members to participate
>> until the board meeting on the 23rd.
>> *>>The third step* is to submit to the board.
>> I think we will do this once the 7 days have passed or wait the next
>> Board meeting which gives us plenty of time
>> Next OWASP meeting is August 23rd, and this is the moment we will submit
>> the proposal of approving the committee including proving an official
>> letter as an Organisation agains the DMCA act.
>> *>>The forth step* is for the board (probably through me) to release a
>> call for committee members.
>> I think this is already happening right now. You can help us set out the
>> word by releasing a call and social media, so people can join, but so far
>> only *OWASP paying members *can actually be part of the committee. As
>> supporters in case the person is not an OWASP member, they can set their
>> name under the Supporter section of the wiki page
>> If this 'call for committee' members requires at least 5 OWASP members
>> and we already have 5 which is the minimum.Bsed on this we can actually
>> submit a proposal.
>> Of course the more members that want to join the better, but I hope we do
>> make this too bureaucratic otherwise we loose momentum with regards the
>> DMCA signatories.
>> On Thu, Aug 11, 2016 at 3:43 PM, Kevin W. Wall <kevin.w.wall at gmail.com>
>>> I think Johanna was referring to this link:
>>> Blog: http://off-the-wall-security.blogspot.com/. | Twitter:
>>> NSA: All your crypto bit are belong to us.
>> Johanna Curiel
>> OWASP Volunteer
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-board