[Owasp-board] Proposal Plan for incentive plan for Project leaders- updated: Board meeting 17th February

Kevin W. Wall kevin.w.wall at gmail.com
Sun Feb 7 16:36:44 UTC 2016


On Sat, Feb 6, 2016 at 7:32 PM, johanna curiel curiel
<johanna.curiel at owasp.org> wrote:
> Hi Board members & Project leaders
>
> I have updated the proposal plan
>
> https://docs.google.com/document/d/1PvNeEWgoO1w51VhHLwqqSgo0mBh-RvmSFUKMTz4QrYg/edit?pref=2&pli=1#heading=h.lw77ixr6kxi
>
> Big changes are:
>
> Simplified and concrete Project Review criterion based on community feedback
> Development of Review portal for automation purposes and community
> involvement
> QA reviews only by request in case project has not received any reviews and
> wishes to graduate
> Graduation Budget
>
> @Project Leaders:
> We will be discussing this proposal on with the board on the 17th february.
> Please feel free to comment on the document and participate during the
> meeting

I made a few comments, but there was one comment that I wanted to add that
I wasn't sure where to place it at, so I will make it here.

One concern that I have is trying to force all projects into the same
criteria for
advancement from incubator-->lab-->flagship. I believe that there are some
outlier projects that don't fit the usual criteria as laid out here
and other places.

I think a good example of this is the Java Encoder Project
(https://www.owasp.org/index.php/OWASP_Java_Encoder_Project).

The status of that project is only "incubator", in part because there has not
been a constant stream of releases. But in this specific case, does there
really NEED to be? I have not heard anyone mention that "there needs to
be this type of encoding that is currently not present", nor "this encoding
is wrong". This project seems rock solid to me and I have personally been
recommending it for those who were _only_ looking for a solution for
output encoding over ESAPI (and not just because until recently,
ESAPI has been rather inactive; the Java Encoder Project is much
lighter weight and thus a better fit if that's all you need). Looking at
the GitHub issues, there are NO issues and there is only one minor
pull request (a one character fix to a typo in a comment).  Now it could
be that there are just not enough developers using it. I don't know
how many times that it has been downloaded and more importantly,
how often it is actually being used in applications. But in my personal
opinion, it is long overdue for at least getting the Java Encoder Project
promoted to Lab status. I think it part, is because it doesn't meet that
"regular release" criteria, but then I'd have to ask, if they have no
bug fixes, what enhancements would you have them add?

Just my $.02,
-kevin

-- 
Blog: http://off-the-wall-security.blogspot.com/    | Twitter: @KevinWWall
NSA: All your crypto bit are belong to us.


More information about the Owasp-board mailing list