[Owasp-leaders] What is the OWASP definition of Open Source?

Stephen Craig Evans stephencraig.evans at gmail.com
Wed Nov 19 00:22:48 EST 2008


I re-read my previous post and if it was taken as "I don't care about
corporations", then that's not what I meant.

I note your distinction between corporations and corporate members. I
was trying to say that the EU Summit was the way things should work
and if people were there representing corporate members, then that's
great. I believe that OWASP's fierce independence gives it the high
respect that it deserves; and respect and recognition that is growing
by the day.

It's on my "to do" list to pay for an individual membership as soon as
I get paid the 2nd half of my Summer of Code project. I will also use
that money for travel expenses to spread the word at regional
developer events.


On Wed, Nov 19, 2008 at 12:24 AM, Calderon, Juan Carlos (GE,
Corporate, consultant) <juan.calderon at ge.com> wrote:
> Well, actually my comment was on that sense, when I say "Do we care
> about them?" I mean do we care what our corporate members have to say?.
> I don't know if we can consider that they were covered by their
> representatives at the Summit or if even there were any representative
> of the around 50 corporate members at the Summit. IMO we all should be
> taken in consideration, including leaders, individual members and
> corporate members.
> I think Dual license is more about peace of mind for Corporate members,
> they need to have something more "solid" than open source license to
> feel comfortable and distribute OWASP materials in their organizations.
> Which is good because they can distribute/teach/evangelize to a
> considerable amount of people at once. Remember our objective make
> application security visible and if at the same time we have resources
> for a Summer of Code or a Summit in beautiful Portugal to speak about
> security, that's even better.
> Be honest, how many of you have paid your individual membership this
> year? There are 200 leaders on this list and only a total of 140
> individual memberships paid for 2008 (I think that was the number
> mentioned by Tom Brennan, correct me if I am wrong). In the mood of
> being open we might be actually closing the doors to some visibility
> channels like corporations and to OWASP to have a financial support that
> proved to work.
> So... We dumped our dual license... any corporate member on this list
> that was affected? Are you thinking on renew your membership in 2009?
> PS. If you are wondering, No I am not part of a corporate member. Also
> please do not make this treat a corporate "evil/good" discussion but
> rather focus on the licensing discussion.
> Regards,
> Juan Carlos Calderon
> -----Original Message-----
> From: owasp-leaders-bounces at lists.owasp.org
> [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Ivan Ristic
> Sent: Lunes, 17 de Noviembre de 2008 07:25 a.m.
> To: Stephen Craig Evans
> Cc: owasp-leaders at lists.owasp.org; Booth, Rex
> Subject: Re: [Owasp-leaders] What is the OWASP definition of Open
> Source?
> Well, you should consider that it is the corporates who paid for us all
> to meet in Portugal. We obviously don't want to sell out, but we need
> funding in order to support our cause. Even if we didn't, I don't think
> taking a hard stance would be productive. A few other thoughts:
> - An average technical person has no clue about licensing, open source
> or not. Even many of those who support open source and contribute (and
> have their own open source projects) know little of the licences they
> are using.
> - Licensing matters are not for technical people to decide on. That's
> lawyers' job. So, lawyers _are_ our target users.
> - Lawyers are generally right to be suspicious of open source.
> Firstly, most licences are terribly ambiguous. Secondly, for most open
> source projects (OWASP included), it is impossible to determine who
> contributed what, and whether they had the right to contribute in the
> first place. I've raised this issue once before, but we need to clean up
> our act when it comes to licensing. Not only we need to be aware of the
> licences we are using, but we need to have a process in place to make
> sure that we don't have tainted code in our repositories.
> On Sun, Nov 16, 2008 at 1:14 PM, Stephen Craig Evans
> <stephencraig.evans at gmail.com> wrote:
>> Hi James,
>> I echo Juan Carlos Calderon's thoughts:
>> "
>> Are we overseen our OWASP users when taking this decision?
>> Do our corporate members motive behind joining OWASP was willing to
>> support OWASP or the dual licensing to have peace of mind?
>> Do we care what they think?
>> "
>> Do we want to conform to corporate lawyers and and are we craving for
>> corporate acceptance?
>> As witnessed personally at the EU Summit in Portugal, I think OWASP is
>> doing fine and dandy on their present course.
>> Cheers,
>> Stephen
>> On Sat, Nov 15, 2008 at 1:02 AM, McGovern, James F (HTSC, IT)
>> <James.McGovern at thehartford.com> wrote:
>>> It is important to understand that within many large enterprises,
>>> lawyers do have a say as to what types of open source can be used. To
>>> the outside world, my comments will appear incoherent but to the
>>> inside world, the things I discuss are real world impediments.
>>> FACT, I can use Scarab but I can't use ESAPI. I hate debating
>>> rationale behind any thinking of any party, I just simply need for
>>> little nickel/dime stuff to be addressed.
>>> -----Original Message-----
>>> From: Booth, Rex [mailto:Rex.Booth at GT.com]
>>> Sent: Wednesday, November 12, 2008 1:46 PM
>>> To: McGovern, James F (HTSC, IT); jeff.williams at owasp.org
>>> Cc: owasp-leaders at lists.owasp.org
>>> Subject: RE: [Owasp-leaders] What is the OWASP definition of Open
>>> Source?
>>> Lawyers also aren't the ones using OWASP products.  I have faith that
>>> those who do use them are competent enough to provide the relevant
>>> information to their legal oversight.
>>> That said, the newly formed Web Site committee may want to take this
>>> as an action item...
>>> Rex Booth, CISSP, PMP
>>> Manager
>>> Global Public Sector
>>> Grant Thornton LLP
>>> The people in the independent firms of Grant Thornton International
>>> Ltd provide personalized attention and the highest quality service to
>>> public and private clients in more than 100 countries. Grant Thornton
>>> LLP is the U.S. member firm of Grant Thornton International Ltd, one
>>> of the six global audit, tax and advisory organizations. Grant
>>> Thornton International Ltd and its member firms are not a worldwide
>>> partnership, as each member firm is a separate and distinct legal
> entity.
>>> In the U.S., visit Grant Thornton LLP at
> http://www.grantthornton.com/.
>>> ************************************************************
>>> This communication, including attachments, is for the exclusive use
> of addressee and may contain proprietary, confidential and/or privileged
> information.  If you are not the intended recipient, any use, copying,
> disclosure, dissemination or distribution is strictly prohibited.  If
> you are not the intended recipient, please notify the sender immediately
> by return e-mail, delete this communication and destroy all copies.
>>> ************************************************************
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> --
> Ivan Ristic
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

More information about the OWASP-Leaders mailing list