<html>
  <head>
    <meta content="text/html; charset=windows-1252"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    I think it's important we let folks know its out of date or is no
    longer maintained. I think it's fair to "demote" this project.<br>
    <br>
    Rather than remove it from GitHub, I suggest just put a warning on
    the GitHub page that it's no longer being maintained and has
    security issues. Someday, someone may want to fork or update this.<br>
    <br>
    Aloha,<br>
    Jim<br>
    <br>
    <br>
    <div class="moz-cite-prefix">On 11/20/15 12:09 PM, johanna curiel
      curiel wrote:<br>
    </div>
    <blockquote
cite="mid:CACxry_2H=LKfmbMeVW6hqE03MmeLSLnb7m1rypw9Epm9NDhW0Q@mail.gmail.com"
      type="cite">
      <div dir="ltr">Hi Leaders,
        <div><br>
        </div>
        <div>There was a very interesting discussion regarding the OWASP
          PHPSEC library.</div>
        <div><br>
        </div>
        <div>The issues brought by some users of the library (Andrew
          Carter, James Titcumb, Katy Ereira and Sven <span name="Sven
            Rautenberg" class="" style="font-size:13px">Rautenberg</span><span
            style="font-size:13px;white-space:nowrap"> (a former </span><span
            style="white-space:nowrap">contributor)on the
            github repository mailing list is that the library contains
            many security issues , </span></div>
        <div><span style="white-space:nowrap">It has not being
            maintained for more than a year </span><span
            style="white-space:nowrap">and it should be taken down from
             </span><span style="white-space:nowrap">OWASP
            Github repository.</span></div>
        <div><span style="white-space:nowrap"><br>
          </span></div>
        <div><a moz-do-not-send="true"
            href="https://github.com/OWASP/phpsec/issues/108#issuecomment-158447768">https://github.com/OWASP/phpsec/issues/108#issuecomment-158447768</a><br>
        </div>
        <div><a moz-do-not-send="true"
            href="https://github.com/OWASP/phpsec/issues/108#issuecomment-158436572">https://github.com/OWASP/phpsec/issues/108#issuecomment-158436572</a><br>
        </div>
        <div><a moz-do-not-send="true"
            href="https://github.com/OWASP/phpsec/issues/108#issuecomment-158428769">https://github.com/OWASP/phpsec/issues/108#issuecomment-158428769</a><br>
        </div>
        <div><a moz-do-not-send="true"
            href="https://github.com/OWASP/phpsec/issues/108#issuecomment-158418384">https://github.com/OWASP/phpsec/issues/108#issuecomment-158418384</a><br>
        </div>
        <div><br>
        </div>
        <div><span style="white-space:nowrap">They all presented quite
            strong arguments with code references that the library,</span></div>
        <div><span style="white-space:nowrap"> even though  it is an
            incubator project, they mentioned it can mislead potential
            users of the project to use it (which happened to them)</span></div>
        <div><span style="white-space:nowrap">They feel OWASP has
            a responsibility to not allow these projects to be under
            OWASP Github and delete them</span></div>
        <div><span style="white-space:nowrap"><br>
          </span></div>
        <div><span style="white-space:nowrap">While I argument that a
            lot of effort was put by volunteers, which might not
            obtained the expected results , Andrew Carter argument back:</span></div>
        <div><span style="color:rgb(80,0,80);font-size:13px"><br>
          </span></div>
        <div><span style="color:rgb(80,0,80);font-size:13px"><i>Could
              you confirm to me that you consider the feelings of your
              volunteers and contributors more important than the
              security of the applications developed by people trusting
              the OWASP namespace?</i></span></div>
        <div><span style="font-size:13px"><br>
          </span></div>
        <div>He presented a list of issues and also Sven the former
          contributor agreed that sadly, the library should be taken
          down from Github,but also the OWASP inventory (to be set as
          inactive)</div>
        <div><br>
        </div>
        <div>I cc Claudia so this could be taken internally with the
          staff as PHPSEC is not the only inactive library under OWASP
          Github and it definitely needs a clean up</div>
        <div><br>
        </div>
        <div>The point I want to bring up is that higher standards are
          definitely needed to allow projects, but especially when these
          projects are 'security libraries'.</div>
        <div><br>
        </div>
        <div>Unfortunately, even though volunteers are setting big
          efforts, I do agree this is definitely not an excuse (as
          Andrew mentioned) to allow them when people are trusting the
          OWASP name for security . Even if it is an incubator project.</div>
        <div><br>
        </div>
        <div><br>
        </div>
        <div><br>
        </div>
        <div>Regards</div>
        <div><br>
        </div>
        <div>Johanna</div>
        <div><br>
        </div>
        <div><br>
        </div>
        <div><br>
        </div>
        <div><br>
        </div>
        <div><span style="color:rgb(80,0,80);font-size:13px"><br>
          </span></div>
        <div><br>
        </div>
        <div><br>
        </div>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
Owasp-board mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Owasp-board@lists.owasp.org">Owasp-board@lists.owasp.org</a>
<a class="moz-txt-link-freetext" href="https://lists.owasp.org/mailman/listinfo/owasp-board">https://lists.owasp.org/mailman/listinfo/owasp-board</a>
</pre>
    </blockquote>
    <br>
    <pre class="moz-signature" cols="72">-- 
Jim Manico
Global Board Member
OWASP Foundation
<a class="moz-txt-link-freetext" href="https://www.owasp.org">https://www.owasp.org</a></pre>
  </body>
</html>