[Owasp-infrastructure] Duplicate Mailing lists (Respond by Aug 1st)

Jason Li jason.li at owasp.org
Wed Jul 27 18:10:07 EDT 2011

Larry/Kate/Board/Committee Chairs,

Several people (myself included) have made the mistake recently of sending
to the owasp-leaders at owasp.org Google Group instead of the
owasp-leaders at lists.owasp.org Mailman list.

I'm sure this has been happening for quite some time as Google helpfully
populates addresses from the organization user list.

In fact, a look at the "OWASP Leaders" Google Group shows messages dating
back to September 2010!

This Google Group is not the email address that everyone expects to use for
the "Leaders List". Moreover, I don't believe it accurately represents the
leaders, as membership to the the Google Group is extended only to (and
automatically to) anyone with an @owasp.org accounts. While *most* leaders
have @owasp.org accounts, to my knowledge, not necessarily *all* leaders
have @owasp.org accounts. In fact, under the current OWASP Membership
policy, my understanding is that all paid members have @owasp.org accounts,
so we will be catching "non-leaders" with these emails to the Google Group.

My recollection is that the OWASP Google Groups were compiled originally by
Larry as a potential replacement for mailman shortly after we migrated to
Google Apps infrastructure. However, we realized that Google App accounts
are required to access the web portion. Google Accounts are not available
everywhere in the world and as an international organization, that's a
severely limiting factor.

As a result, my understanding was that we never rolled out and migrated to
these Google groups.

Nonetheless, they remain active and the email addresses are "live", open and

The vast majority of these lists have never been used. Based on the
confusion and activity, my guess that the vast majority of any activity on
these groups is "by accident".

There are a few lists that are seem to be intentionally used instead of
mailman and do not follow the standard "owasp-XXX" mailing list convention:
* The Board uses the "OWASP" Google Groups (
* The Connections Committee uses the "Press" Google Group (
* The GPC uses the "Projects" Google Group (
* The Summit planning team also used a number of groups ("summit-*") before
and during the event for operational purposes

These separate groups make sense as a means to contact specific groups
without having to be subscribed to a mailing list while still conducting the
conversation in a way that is archived and open. It also insulates the
population of the entire mailing list from having to deal with every such
request to that group.  So it makes sense for groups explicitly deciding to
do this (as the Board, Connections Committee, and GPC have done)

However, for all the mailing lists and groups that are *not* aware of this
service, I believe that continuing to have "two" parallel mailing lists is
extremely confusing and can potentially fracture the dialogue in the

I would like to remove these groups to avoid future confusion - but before
acting, I'd like to understand if I'm missing a piece of the puzzle.

My plan would be as follows:
- Examine each OWASP Google Group
- If Google Group has no messages and is clearly not in use, remove the
email alias
- If the Google Group has messages and is in use, determine if usage is
accidental or intentional
--- For accidental usage, close the group and redirect the email alias to
the corresponding Mailman list
--- For intentional usage, ensure that the group knows the distinction and
publicize the result

If I hear no comments from the group, I'm going to proceed with my plan of
action slowly but surely starting August 1st.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-infrastructure/attachments/20110727/f580fdaa/attachment.html 

More information about the Owasp-infrastructure mailing list