[Owasp-leaders] What is the OWASP definition of Open Source?

Calderon, Juan Carlos (GE, Corporate, consultant) juan.calderon at ge.com
Tue Nov 18 11:24:23 EST 2008

Well, actually my comment was on that sense, when I say "Do we care
about them?" I mean do we care what our corporate members have to say?.

I don't know if we can consider that they were covered by their
representatives at the Summit or if even there were any representative
of the around 50 corporate members at the Summit. IMO we all should be
taken in consideration, including leaders, individual members and
corporate members.

I think Dual license is more about peace of mind for Corporate members,
they need to have something more "solid" than open source license to
feel comfortable and distribute OWASP materials in their organizations.
Which is good because they can distribute/teach/evangelize to a
considerable amount of people at once. Remember our objective make
application security visible and if at the same time we have resources
for a Summer of Code or a Summit in beautiful Portugal to speak about
security, that's even better.

Be honest, how many of you have paid your individual membership this
year? There are 200 leaders on this list and only a total of 140
individual memberships paid for 2008 (I think that was the number
mentioned by Tom Brennan, correct me if I am wrong). In the mood of
being open we might be actually closing the doors to some visibility
channels like corporations and to OWASP to have a financial support that
proved to work.

So... We dumped our dual license... any corporate member on this list
that was affected? Are you thinking on renew your membership in 2009? 

PS. If you are wondering, No I am not part of a corporate member. Also
please do not make this treat a corporate "evil/good" discussion but
rather focus on the licensing discussion.

Juan Carlos Calderon

-----Original Message-----
From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Ivan Ristic
Sent: Lunes, 17 de Noviembre de 2008 07:25 a.m.
To: Stephen Craig Evans
Cc: owasp-leaders at lists.owasp.org; Booth, Rex
Subject: Re: [Owasp-leaders] What is the OWASP definition of Open

Well, you should consider that it is the corporates who paid for us all
to meet in Portugal. We obviously don't want to sell out, but we need
funding in order to support our cause. Even if we didn't, I don't think
taking a hard stance would be productive. A few other thoughts:

- An average technical person has no clue about licensing, open source
or not. Even many of those who support open source and contribute (and
have their own open source projects) know little of the licences they
are using.

- Licensing matters are not for technical people to decide on. That's
lawyers' job. So, lawyers _are_ our target users.

- Lawyers are generally right to be suspicious of open source.
Firstly, most licences are terribly ambiguous. Secondly, for most open
source projects (OWASP included), it is impossible to determine who
contributed what, and whether they had the right to contribute in the
first place. I've raised this issue once before, but we need to clean up
our act when it comes to licensing. Not only we need to be aware of the
licences we are using, but we need to have a process in place to make
sure that we don't have tainted code in our repositories.

On Sun, Nov 16, 2008 at 1:14 PM, Stephen Craig Evans
<stephencraig.evans at gmail.com> wrote:
> Hi James,
> I echo Juan Carlos Calderon's thoughts:
> "
> Are we overseen our OWASP users when taking this decision?
> Do our corporate members motive behind joining OWASP was willing to 
> support OWASP or the dual licensing to have peace of mind?
> Do we care what they think?
> "
> Do we want to conform to corporate lawyers and and are we craving for 
> corporate acceptance?
> As witnessed personally at the EU Summit in Portugal, I think OWASP is

> doing fine and dandy on their present course.
> Cheers,
> Stephen
> On Sat, Nov 15, 2008 at 1:02 AM, McGovern, James F (HTSC, IT) 
> <James.McGovern at thehartford.com> wrote:
>> It is important to understand that within many large enterprises, 
>> lawyers do have a say as to what types of open source can be used. To

>> the outside world, my comments will appear incoherent but to the 
>> inside world, the things I discuss are real world impediments.
>> FACT, I can use Scarab but I can't use ESAPI. I hate debating 
>> rationale behind any thinking of any party, I just simply need for 
>> little nickel/dime stuff to be addressed.
>> -----Original Message-----
>> From: Booth, Rex [mailto:Rex.Booth at GT.com]
>> Sent: Wednesday, November 12, 2008 1:46 PM
>> To: McGovern, James F (HTSC, IT); jeff.williams at owasp.org
>> Cc: owasp-leaders at lists.owasp.org
>> Subject: RE: [Owasp-leaders] What is the OWASP definition of Open 
>> Source?
>> Lawyers also aren't the ones using OWASP products.  I have faith that

>> those who do use them are competent enough to provide the relevant 
>> information to their legal oversight.
>> That said, the newly formed Web Site committee may want to take this 
>> as an action item...
>> Rex Booth, CISSP, PMP
>> Manager
>> Global Public Sector
>> Grant Thornton LLP
>> The people in the independent firms of Grant Thornton International 
>> Ltd provide personalized attention and the highest quality service to

>> public and private clients in more than 100 countries. Grant Thornton

>> LLP is the U.S. member firm of Grant Thornton International Ltd, one 
>> of the six global audit, tax and advisory organizations. Grant 
>> Thornton International Ltd and its member firms are not a worldwide 
>> partnership, as each member firm is a separate and distinct legal
>> In the U.S., visit Grant Thornton LLP at
>> ************************************************************
>> This communication, including attachments, is for the exclusive use
of addressee and may contain proprietary, confidential and/or privileged
information.  If you are not the intended recipient, any use, copying,
disclosure, dissemination or distribution is strictly prohibited.  If
you are not the intended recipient, please notify the sender immediately
by return e-mail, delete this communication and destroy all copies.
>> ************************************************************
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

Ivan Ristic
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org

More information about the OWASP-Leaders mailing list