[Owasp-infrastructure] [Owasp-board] Duplicate Mailing lists (Respond by Aug 1st)

Jason Li jason.li at owasp.org
Wed Jul 27 20:34:37 EDT 2011

Indeed Tom, it was my plan to act on some of these less sexy but
important administrate tasks, and it's why I emailed the group in the first

I think we're all frequently annoyed by members of the community saying
"OWASP should..." or "OWASP needs to...", as if some magic OWASP genie were
going to make it so. I don't have any intention on becoming that person :)

But like I said when I was granted admin access, I'm very reluctant to
charge forward with any administrative change without first understanding
why things are the way they are.

We're all smart people here, and usually there's a reason that something is
the way it is. Sometimes it's because no one has had the time to devote to
changing it. But sometimes it's because a plan is already in place and still
being executed on or it's because there are complexities or complications
that smart people have thought about and concluded that the current state is
the best we can do given the circumstances. In the latter cases, when
someone comes into a situation without being cognizant of the context and
background, they usually end up causing a lot of noise, thrash and
unproductive activity as they rehash the same challenges of prior attempts.

That's why I thought it was important to lay out what my current
understanding of the status of these GoogleGroups, and a proposed a plan of
action before unilaterally acting on it. I don't think OWASP is well served
when those of us in leadership positions (Board Members/Committee Chairs)
take unilateral action.

It sounds like the current state of mailing lists/GoogleGroups pretty much
aligns with my understanding - although there may be some recent changes in
GoogleGroups infrastructure that overcome previous shortcomings.

I'll look into it and either proceed forward with my plan outlined in the
previous email (namely, remove the Google Groups to avoid confusion) or if
there's enough change in infrastructure to warrant shifting, then I'll draft
a migration plan (which would probably look very similar to step #4 in this


On Wed, Jul 27, 2011 at 6:40 PM, Tom Brennan <tomb at owasp.org> wrote:

> The goal has always been to get off of hosting a dedicated system for
> mailing list management of a mailman 2.1.8 in the closet.  GoogleGroups can
> solve out issue for management of both mailing lists for local chapters
> providing access to the chapter leaders for admin via the @owasp.org email
> domain as well as other non chapter mailing lists such as projects and
> leaders.
> https://groups.google.com/a/owasp.org/?hl=en
> Recent updates also include the ability to leverage them with public
> non-owasp accounts too.
> http://www.google.com/support/a/bin/answer.py?answer=167097
> You have ADMIN access Jason to the GoogleApps for OWASP Foundation seems
> you have extra cycles -- your welcome to take on that internal project that
> although is not as sexy as say... "flagship efforts" is clearly critical
> there are several backoffice projects that need that energy.
> On Jul 27, 2011, at 5:10 PM, Jason Li wrote:
> Larry/Kate/Board/Committee Chairs,
> Several people (myself included) have made the mistake recently of sending
> to the owasp-leaders at owasp.org Google Group instead of the
> owasp-leaders at lists.owasp.org Mailman list.
> I'm sure this has been happening for quite some time as Google helpfully
> populates addresses from the organization user list.
> In fact, a look at the "OWASP Leaders" Google Group shows messages dating
> back to September 2010!
> This Google Group is not the email address that everyone expects to use for
> the "Leaders List". Moreover, I don't believe it accurately represents the
> leaders, as membership to the the Google Group is extended only to (and
> automatically to) anyone with an @owasp.org accounts. While *most* leaders
> have @owasp.org accounts, to my knowledge, not necessarily *all* leaders
> have @owasp.org accounts. In fact, under the current OWASP Membership
> policy, my understanding is that all paid members have @owasp.orgaccounts, so we will be catching "non-leaders" with these emails to the
> Google Group.
> My recollection is that the OWASP Google Groups were compiled originally by
> Larry as a potential replacement for mailman shortly after we migrated to
> Google Apps infrastructure. However, we realized that Google App accounts
> are required to access the web portion. Google Accounts are not available
> everywhere in the world and as an international organization, that's a
> severely limiting factor.
> As a result, my understanding was that we never rolled out and migrated to
> these Google groups.
> Nonetheless, they remain active and the email addresses are "live", open
> and available.
> The vast majority of these lists have never been used. Based on the
> confusion and activity, my guess that the vast majority of any activity on
> these groups is "by accident".
> There are a few lists that are seem to be intentionally used instead of
> mailman and do not follow the standard "owasp-XXX" mailing list convention:
> * The Board uses the "OWASP" Google Groups (
> https://groups.google.com/a/owasp.org/group/owasp/<https://groups.google.com/a/owasp.org/group/owasp/topics>
> )
> * The Connections Committee uses the "Press" Google Group (
> https://groups.google.com/a/owasp.org/group/press)
> * The GPC uses the "Projects" Google Group (
> https://groups.google.com/a/owasp.org/group/projects)
> * The Summit planning team also used a number of groups ("summit-*") before
> and during the event for operational purposes
> These separate groups make sense as a means to contact specific groups
> without having to be subscribed to a mailing list while still conducting the
> conversation in a way that is archived and open. It also insulates the
> population of the entire mailing list from having to deal with every such
> request to that group.  So it makes sense for groups explicitly deciding to
> do this (as the Board, Connections Committee, and GPC have done)
> However, for all the mailing lists and groups that are *not* aware of this
> service, I believe that continuing to have "two" parallel mailing lists is
> extremely confusing and can potentially fracture the dialogue in the
> community.
> I would like to remove these groups to avoid future confusion - but before
> acting, I'd like to understand if I'm missing a piece of the puzzle.
> My plan would be as follows:
> - Examine each OWASP Google Group
> - If Google Group has no messages and is clearly not in use, remove the
> email alias
> - If the Google Group has messages and is in use, determine if usage is
> accidental or intentional
> --- For accidental usage, close the group and redirect the email alias to
> the corresponding Mailman list
> --- For intentional usage, ensure that the group knows the distinction and
> publicize the result
> If I hear no comments from the group, I'm going to proceed with my plan of
> action slowly but surely starting August 1st.
> -Jason
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-infrastructure/attachments/20110727/0bb4357e/attachment-0001.html 

More information about the Owasp-infrastructure mailing list