[Owasp-leaders] What is the OWASP definition of Open Source?

Stephen Craig Evans stephencraig.evans at gmail.com
Thu Nov 20 12:47:17 EST 2008

Hi James,

Yes, let's get the licensing straightened out so it makes it easier
for corporations to adopt OWASP stuff - and hopefully contribute cash.
I think that action item is on the list from Portugal.

As to the rest of your points, I am catching the drift that you think
that OWASP owes people something for contributing or at least
recognizing - in some form - their contribution. To turn the tables on
you: How do you do that? How to you quantify somebody's contribution
and acknowledge it? How is somebody's contribution valued more than
somebody else's? How do you reward that contribution? Do you pay out
cash or give brownie points? What are brownie points? How are brownie
points established? Should there be a contribution working group?
Should it be a virtual working group meeting or should it be a
physical meeting? If physical, then where should it be? Near airports
where it's cheap and boring, and/or Chicago in the winter? Or do we do
Skype with webcams?

I did my first official Summer of Code project and got paid a little
for it. I spent a lot of time away from my family and friends. I am
now working gratis on another project. I don't expect anything from
anybody. I have my personal selfish motives for doing it (to learn a
lot and, if it's good, get some recognition). I have learned that I
have to do more self-promotion for my projects - I will learn from
that experience. I feel good working within OWASP in that I think one
gets out of it what they put into it.

IMHO, OWASP is on the right course. I like Dinis's vision of having
security experts on one side, having corporations/organizations on the
other side, and OWASP being the middle man to hook up the 2 when the
corps/orgs want a service and a security specialization that fits
their needs and a project or endeavour that they don't want to afford
to do in-house on their own... Yes, us OWASP participants have
cleaning up and organization to do to be able to offer those services
to corps/orgs. Which is what I think is what is going on now and what
was the fruits of the labor of the EU Summit in Portugal.

But never for one second do I think that OWASP owes me anything. With
OWASP, to quote the Geto Boys, actions speak louder than words.


On Wed, Nov 19, 2008 at 10:44 PM, McGovern, James F (HTSC, IT)
<James.McGovern at thehartford.com> wrote:
>  Several thoughts:
> 1. I am of the belief that chapter leaders do their part to help OWASP
> grow and that any contribution they make is icing on the cake. If I
> added up the amount of hours I spend on chapter related activities and
> placed a value of $100 against it, the return on bagging fries at
> McDonalds after work would be higher. So, if contributions aren't at
> 100%, then maybe a discussion of affordability (I predict folks in Asia
> would have trouble) or just value proposition would be in order.
> 2. The spirit of open source says that a person can contribute in a
> variety of ways whether via financial or time, we should acknowledge
> them equally as time is money. I think this aspect of PR is somewhat
> neglected.
> 3. The model of open source says that folks should be able to try
> software to see if it provides value to them. If it does provide value
> then they would be more willing to reach into their wallets and
> corporations have pretty big ones. But all this goes to waste if
> something as simple to resolve as licensing becomes an impediment. Our
> value proposition isn't to just those who are members, but those who
> would make great future members as well.
> 4. We also have a duty to not just stick to Stallman'ish principles even
> when they cause harm. Lots of people may spend time away from their
> friends and family writing high quality valuable software. The thing
> that is more important that being open (flamebait?) is in ensuring that
> their time is not wasted and the thing that will keep them contributing
> is in knowing that their craft is appreciated by a growing number of
> folks who actually use it.
> -----Original Message-----
> From: owasp-leaders-bounces at lists.owasp.org
> [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Calderon,
> Juan Carlos (GE, Corporate,consultant)
> Sent: Tuesday, November 18, 2008 11:24 AM
> To: Ivan Ristic; Stephen Craig Evans
> Cc: Booth, Rex; owasp-leaders at lists.owasp.org
> Subject: Re: [Owasp-leaders] What is the OWASP definition of Open
> Source?
> Well, actually my comment was on that sense, when I say "Do we care
> about them?" I mean do we care what our corporate members have to say?.
> I don't know if we can consider that they were covered by their
> representatives at the Summit or if even there were any representative
> of the around 50 corporate members at the Summit. IMO we all should be
> taken in consideration, including leaders, individual members and
> corporate members.
> I think Dual license is more about peace of mind for Corporate members,
> they need to have something more "solid" than open source license to
> feel comfortable and distribute OWASP materials in their organizations.
> Which is good because they can distribute/teach/evangelize to a
> considerable amount of people at once. Remember our objective make
> application security visible and if at the same time we have resources
> for a Summer of Code or a Summit in beautiful Portugal to speak about
> security, that's even better.
> Be honest, how many of you have paid your individual membership this
> year? There are 200 leaders on this list and only a total of 140
> individual memberships paid for 2008 (I think that was the number
> mentioned by Tom Brennan, correct me if I am wrong). In the mood of
> being open we might be actually closing the doors to some visibility
> channels like corporations and to OWASP to have a financial support that
> proved to work.
> So... We dumped our dual license... any corporate member on this list
> that was affected? Are you thinking on renew your membership in 2009?
> PS. If you are wondering, No I am not part of a corporate member. Also
> please do not make this treat a corporate "evil/good" discussion but
> rather focus on the licensing discussion.
> Regards,
> Juan Carlos Calderon
> ************************************************************
> This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information.  If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited.  If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
> ************************************************************
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

More information about the OWASP-Leaders mailing list