[Owasp-leaders] OWASP Mailing Lists

Jason Li jason.li at owasp.org
Thu Mar 5 15:21:14 EST 2009


Migration from mailing lists to forums has been an ongoing discussion at
OWASP since at least the OWASP Summit in Portugal if not before.

To answer Arshan's question, the benefits that I personally see from forums
is in drawing new people into the OWASP community. Functionally, mailing
lists are great and do their job, but for anyone coming into the OWASP fold,
mailing lists are not a good way to acclimate to the environment.

There are mailman archives but I don't think anyone will claim that those
archives are very user friendly for a new person. The nature of forums
allows a newcomer to go to the forum group that they're interested in and
see the most active and relevant activity on that forum. As a newcomer,
joining a mailing list, you are hit with a deluge of emails for which you
have no context and possibly no interest in seeing. That's not the kind of
environment I think we want to foster.

There's also some administrative benefits as well - but when the OWASP Web
Site Working Group had this discussion at the Summit, it was primarily from
a "how do we make this better for new people?" perspective.

Before any further argument ensues, let me clearly state that both Larry and
the Web Site Working Group recognizes that people want to be plugged into
whatever medium we use to facilitate OWASP communication (myself included).
And that means people want to be able to send and receive messages via
email. We get that, we really do.

What the OWASP Web Site Working Group has been exploring are message forums
that support cross pollination with mailing lists so that a mailing list
behaves essnetially as a forum group (new message posting = new email
message sent to list, sending an email to the list = new message posting).
Unfortunately, there's not a whole lot out there that's current. M2f for
phpBB, which as far as I can tell is the best free option out there, is not
yet supporting phpBB 3.x.

If anyone has any suggestions, please send them my way and I'll pass them
on.

--
-Jason Li-
-jason.li at owasp.org-


On Thu, Mar 5, 2009 at 2:59 PM, Tim Bass <tim.silkroad at gmail.com> wrote:

> Actually, I don't care what OWASP IT does.   The list, and how it
> works, speaks for itself.   I have seen the (forum v. email) flame
> wars before and am completely disinterested. Most of the arguments
> will be emotional and people with no forum experience will make wild,
> clueless claims, and the discussion will go no where.
>
> Just go to http://ubuntuforums.org/   and you will see a professional
> forum on vBulletin.
>
> Comparing good running, modern forum software to an email list is like
> comparing a F16 fighter jet to a lawnmower. For example, with
> vBulletin, there is an entire ecosystem of thousands of plugins that
> do everything under the sun  (www.vbulletin.org) from antispam bots to
> slick skins for mobile phones.
>
> I am not going to get into a flame war over this crummy mailing list
> software, ROTFL
>
> This is my last post on the topic.  I have managed an OWASP email list
> and I manage a forum with over 1,000,000 unique visitors a month, and
> their is no comparison, and to get into a tit-for-tat discussion on it
> would be like trying to teach a fish to climb a mountain, LOL
>
> Email discussion lists are antique relics of the IT of yesterday.
>
>
> On Fri, Mar 6, 2009 at 2:45 AM, Arshan Dabirsiaghi
> <arshan.dabirsiaghi at aspectsecurity.com> wrote:
> > I agree with Kevin, for what it's worth. Does anyone else view the
> benefits
> > of forum communication as worth making the global switch?
> >
> > Arshan
> > ________________________________
> > From: owasp-leaders-bounces at lists.owasp.org on behalf of Kevin Reiter
> > Sent: Thu 3/5/2009 2:41 PM
> > To: owasp-leaders at lists.owasp.org
> > Subject: Re: [Owasp-leaders] OWASP Mailing Lists
> >
> > Hi Tim,
> >
> > I was basing my comments on my personal experience with other forum
> > software, which is why I used the words "typically" and "can be", meaning
> > "not in every single case."  I've not seen a forum that allows a user to
> > receive an e-mail for every single post, including new topics not
> previously
> > subscribed to, which is why I stated that observation.  I'm not trying to
> > start a flamewar over this, and I'm obviously not the expert here on this
> -
> > I was just voicing _my_ opinion.
> >
> > ~Kevin
> >
> > On Thu, Mar 5, 2009 at 2:26 PM, Tim Bass <tim.silkroad at gmail.com> wrote:
> >>
> >> Hi Kevin,
> >>
> >> I gave my opinion.   I manage a large forum with over 3,000,000 page
> >> views a month and over 70,000 registered users and none of your
> >> arguments
> >> are correct, on modern, correctly managed forums. Spam is easier to
> >> manage. There are modern plugins for this.  For folks who have mobile,
> >> they
> >> can have email forwarded or the forum can have a mobile skin.   All
> >> modern forum as subscribe in/out functions for new posts, if that is
> >> what
> >> users want.   Bots are easy to manage with simple plugin.
> >>
> >> Obviously, and I am not being caustic, you don't manage a large,
> >> modern, commercial forum.
> >>
> >> Cheers.
> >>
> >>
> >>
> >>
> >>
> >>
> >> On Fri, Mar 6, 2009 at 2:00 AM, Kevin Reiter <kevin.reiter at owasp.org>
> >> wrote:
> >> > I disagree about this for a few reasons (and feel free to disagree
> with
> >> > me
> >> > on this :)
> >> >
> >> > - Forums can be difficult to access/navigate from mobile devices.
> >> > - Forum software requires constant maintenance (patches, version
> >> > upgrades,
> >> > spambot registration preening, etc.) to maintain security for both the
> >> > forum
> >> > application as well as the machine it resides on.
> >> > - Forums typically do not let members know when there are new posts -
> >> > only
> >> > if you're already subscribed to an existing topic.  If you don't login
> >> > and
> >> > check, you're not made aware of any important announcements.
> >> > - Forums are higher targets for automated "sploit bots".
> >> >
> >> > Now, that's not to say that in addition to the mailing lists there
> >> > couldn't
> >> > (or shouldn't) be an official OWASP Forum.  I'm just pointing out that
> >> > replacing the mailing lists with a forum might not be the best idea.
> >> >
> >> > Also, I'm curious to know how you mean, "mailing lists don't scale
> >> > well."
> >> > In what way?  How are they deficient?  How don't they "scale well"?
> I'm
> >> > not
> >> > being carcastic, just curious by what you mean as it pertains to the
> >> > OWASP
> >> > lists.
> >> >
> >> >
> >> > ~Kevin
> >> >
> >> > On Thu, Mar 5, 2009 at 1:27 PM, Tim Bass <tim.silkroad at gmail.com>
> wrote:
> >> >>
> >> >> Dear All,
> >> >>
> >> >> Mailing lists to not scale well.
> >> >>
> >> >> OWASP should consider moving to a modern, professional forum, like
> >> >> vBulletin.
> >> >>
> >> >> The Ubuntu Forums
> >> >> Linux Questions
> >> >> The UNIX and Linux Forums
> >> >>
> >> >> etc.
> >> >>
> >> >> All these busy forums use vB.
> >> >>
> >> >> Email is so "last century" LOL.
> >> >>
> >> >> Cheers.
> >> >> _______________________________________________
> >> >> OWASP-Leaders mailing list
> >> >> OWASP-Leaders at lists.owasp.org
> >> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >> >
> >> >
> >> >
> >> > --
> >> > Kevin Reiter
> >> > NJNYMetro OWASP
> >> >
> >> > _______________________________________________
> >> > OWASP-Leaders mailing list
> >> > OWASP-Leaders at lists.owasp.org
> >> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >> >
> >> >
> >> _______________________________________________
> >> OWASP-Leaders mailing list
> >> OWASP-Leaders at lists.owasp.org
> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >
> > _______________________________________________
> > OWASP-Leaders mailing list
> > OWASP-Leaders at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >
> >
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20090305/6e1ee0bc/attachment-0001.html 


More information about the OWASP-Leaders mailing list