[Owasp-leaders] What is the OWASP definition of Open Source?

Ivan Ristic ivan.ristic at gmail.com
Mon Nov 17 08:25:27 EST 2008

Well, you should consider that it is the corporates who paid for us
all to meet in Portugal. We obviously don't want to sell out, but we
need funding in order to support our cause. Even if we didn't, I don't
think taking a hard stance would be productive. A few other thoughts:

- An average technical person has no clue about licensing, open source
or not. Even many of those who support open source and contribute (and
have their own open source projects) know little of the licences they
are using.

- Licensing matters are not for technical people to decide on. That's
lawyers' job. So, lawyers _are_ our target users.

- Lawyers are generally right to be suspicious of open source.
Firstly, most licences are terribly ambiguous. Secondly, for most open
source projects (OWASP included), it is impossible to determine who
contributed what, and whether they had the right to contribute in the
first place. I've raised this issue once before, but we need to clean
up our act when it comes to licensing. Not only we need to be aware of
the licences we are using, but we need to have a process in place to
make sure that we don't have tainted code in our repositories.

On Sun, Nov 16, 2008 at 1:14 PM, Stephen Craig Evans
<stephencraig.evans at gmail.com> wrote:
> Hi James,
> I echo Juan Carlos Calderon's thoughts:
> "
> Are we overseen our OWASP users when taking this decision?
> Do our corporate members motive behind joining OWASP was willing to
> support OWASP or the dual licensing to have peace of mind?
> Do we care what they think?
> "
> Do we want to conform to corporate lawyers and and are we craving for
> corporate acceptance?
> As witnessed personally at the EU Summit in Portugal, I think OWASP is
> doing fine and dandy on their present course.
> Cheers,
> Stephen
> On Sat, Nov 15, 2008 at 1:02 AM, McGovern, James F (HTSC, IT)
> <James.McGovern at thehartford.com> wrote:
>> It is important to understand that within many large enterprises,
>> lawyers do have a say as to what types of open source can be used. To
>> the outside world, my comments will appear incoherent but to the inside
>> world, the things I discuss are real world impediments.
>> FACT, I can use Scarab but I can't use ESAPI. I hate debating rationale
>> behind any thinking of any party, I just simply need for little
>> nickel/dime stuff to be addressed.
>> -----Original Message-----
>> From: Booth, Rex [mailto:Rex.Booth at GT.com]
>> Sent: Wednesday, November 12, 2008 1:46 PM
>> To: McGovern, James F (HTSC, IT); jeff.williams at owasp.org
>> Cc: owasp-leaders at lists.owasp.org
>> Subject: RE: [Owasp-leaders] What is the OWASP definition of Open
>> Source?
>> Lawyers also aren't the ones using OWASP products.  I have faith that
>> those who do use them are competent enough to provide the relevant
>> information to their legal oversight.
>> That said, the newly formed Web Site committee may want to take this as
>> an action item...
>> Rex Booth, CISSP, PMP
>> Manager
>> Global Public Sector
>> Grant Thornton LLP
>> The people in the independent firms of Grant Thornton International Ltd
>> provide personalized attention and the highest quality service to public
>> and private clients in more than 100 countries. Grant Thornton LLP is
>> the U.S. member firm of Grant Thornton International Ltd, one of the six
>> global audit, tax and advisory organizations. Grant Thornton
>> International Ltd and its member firms are not a worldwide partnership,
>> as each member firm is a separate and distinct legal entity.
>> In the U.S., visit Grant Thornton LLP at http://www.grantthornton.com/.
>> ************************************************************
>> This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information.  If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited.  If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
>> ************************************************************
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

Ivan Ristic

More information about the OWASP-Leaders mailing list