[Owasp-leaders] OWASP Mailing Lists

Rex Booth rex.booth at owasp.org
Thu Mar 5 16:23:59 EST 2009


Jason brings up the most important point: what is the purpose of the 
tool?  If it's for relatively immediate and transient communication, 
then a mailing list is fine.  If it's as a component of a knowledge 
repository and a way to educate members, then a forum is far better 
(IMO).  From my perspective, our chosen method of group communication 
needs to fit both of the above requirements, and likely several more.  I 
think some sort of requirements analysis is warranted if it hasn't 
already begun.

IMHO: Agreed 100% that mailing lists are a horrible tool for bringing 
new members into the fold and that a forum would be a far more useful 
tool.  That said, I don't want to browse a forum in order to fire off a 
message to the leaders list or my local chapter.  A blended approach 
would indeed be ideal.

That said, I'm absolutely useless in identifying a solution. ;)

Rex

Jason Li wrote:
> Migration from mailing lists to forums has been an ongoing discussion 
> at OWASP since at least the OWASP Summit in Portugal if not before.
>
> To answer Arshan's question, the benefits that I personally see from 
> forums is in drawing new people into the OWASP community. 
> Functionally, mailing lists are great and do their job, but for anyone 
> coming into the OWASP fold, mailing lists are not a good way to 
> acclimate to the environment.
>
> There are mailman archives but I don't think anyone will claim that 
> those archives are very user friendly for a new person. The nature of 
> forums allows a newcomer to go to the forum group that they're 
> interested in and see the most active and relevant activity on that 
> forum. As a newcomer, joining a mailing list, you are hit with a 
> deluge of emails for which you have no context and possibly no 
> interest in seeing. That's not the kind of environment I think we want 
> to foster.
>
> There's also some administrative benefits as well - but when the OWASP 
> Web Site Working Group had this discussion at the Summit, it was 
> primarily from a "how do we make this better for new people?" perspective.
>
> Before any further argument ensues, let me clearly state that both 
> Larry and the Web Site Working Group recognizes that people want to be 
> plugged into whatever medium we use to facilitate OWASP communication 
> (myself included). And that means people want to be able to send and 
> receive messages via email. We get that, we really do.
>
> What the OWASP Web Site Working Group has been exploring are message 
> forums that support cross pollination with mailing lists so that a 
> mailing list behaves essnetially as a forum group (new message posting 
> = new email message sent to list, sending an email to the list = new 
> message posting). Unfortunately, there's not a whole lot out there 
> that's current. M2f for phpBB, which as far as I can tell is the best 
> free option out there, is not yet supporting phpBB 3.x.
>
> If anyone has any suggestions, please send them my way and I'll pass 
> them on.
>
> --
> -Jason Li-
> -jason.li <http://jason.li>@owasp.org-
>
>
> On Thu, Mar 5, 2009 at 2:59 PM, Tim Bass <tim.silkroad at gmail.com 
> <mailto:tim.silkroad at gmail.com>> wrote:
>
>     Actually, I don't care what OWASP IT does.   The list, and how it
>     works, speaks for itself.   I have seen the (forum v. email) flame
>     wars before and am completely disinterested. Most of the arguments
>     will be emotional and people with no forum experience will make wild,
>     clueless claims, and the discussion will go no where.
>
>     Just go to http://ubuntuforums.org/   and you will see a professional
>     forum on vBulletin.
>
>     Comparing good running, modern forum software to an email list is like
>     comparing a F16 fighter jet to a lawnmower. For example, with
>     vBulletin, there is an entire ecosystem of thousands of plugins that
>     do everything under the sun  (www.vbulletin.org
>     <http://www.vbulletin.org>) from antispam bots to
>     slick skins for mobile phones.
>
>     I am not going to get into a flame war over this crummy mailing list
>     software, ROTFL
>
>     This is my last post on the topic.  I have managed an OWASP email list
>     and I manage a forum with over 1,000,000 unique visitors a month, and
>     their is no comparison, and to get into a tit-for-tat discussion on it
>     would be like trying to teach a fish to climb a mountain, LOL
>
>     Email discussion lists are antique relics of the IT of yesterday.
>
>
>     On Fri, Mar 6, 2009 at 2:45 AM, Arshan Dabirsiaghi
>     <arshan.dabirsiaghi at aspectsecurity.com
>     <mailto:arshan.dabirsiaghi at aspectsecurity.com>> wrote:
>     > I agree with Kevin, for what it's worth. Does anyone else view
>     the benefits
>     > of forum communication as worth making the global switch?
>     >
>     > Arshan
>     > ________________________________
>     > From: owasp-leaders-bounces at lists.owasp.org
>     <mailto:owasp-leaders-bounces at lists.owasp.org> on behalf of Kevin
>     Reiter
>     > Sent: Thu 3/5/2009 2:41 PM
>     > To: owasp-leaders at lists.owasp.org
>     <mailto:owasp-leaders at lists.owasp.org>
>     > Subject: Re: [Owasp-leaders] OWASP Mailing Lists
>     >
>     > Hi Tim,
>     >
>     > I was basing my comments on my personal experience with other forum
>     > software, which is why I used the words "typically" and "can
>     be", meaning
>     > "not in every single case."  I've not seen a forum that allows a
>     user to
>     > receive an e-mail for every single post, including new topics
>     not previously
>     > subscribed to, which is why I stated that observation.  I'm not
>     trying to
>     > start a flamewar over this, and I'm obviously not the expert
>     here on this -
>     > I was just voicing _my_ opinion.
>     >
>     > ~Kevin
>     >
>     > On Thu, Mar 5, 2009 at 2:26 PM, Tim Bass <tim.silkroad at gmail.com
>     <mailto:tim.silkroad at gmail.com>> wrote:
>     >>
>     >> Hi Kevin,
>     >>
>     >> I gave my opinion.   I manage a large forum with over 3,000,000
>     page
>     >> views a month and over 70,000 registered users and none of your
>     >> arguments
>     >> are correct, on modern, correctly managed forums. Spam is easier to
>     >> manage. There are modern plugins for this.  For folks who have
>     mobile,
>     >> they
>     >> can have email forwarded or the forum can have a mobile skin.   All
>     >> modern forum as subscribe in/out functions for new posts, if
>     that is
>     >> what
>     >> users want.   Bots are easy to manage with simple plugin.
>     >>
>     >> Obviously, and I am not being caustic, you don't manage a large,
>     >> modern, commercial forum.
>     >>
>     >> Cheers.
>     >>
>     >>
>     >>
>     >>
>     >>
>     >>
>     >> On Fri, Mar 6, 2009 at 2:00 AM, Kevin Reiter
>     <kevin.reiter at owasp.org <mailto:kevin.reiter at owasp.org>>
>     >> wrote:
>     >> > I disagree about this for a few reasons (and feel free to
>     disagree with
>     >> > me
>     >> > on this :)
>     >> >
>     >> > - Forums can be difficult to access/navigate from mobile devices.
>     >> > - Forum software requires constant maintenance (patches, version
>     >> > upgrades,
>     >> > spambot registration preening, etc.) to maintain security for
>     both the
>     >> > forum
>     >> > application as well as the machine it resides on.
>     >> > - Forums typically do not let members know when there are new
>     posts -
>     >> > only
>     >> > if you're already subscribed to an existing topic.  If you
>     don't login
>     >> > and
>     >> > check, you're not made aware of any important announcements.
>     >> > - Forums are higher targets for automated "sploit bots".
>     >> >
>     >> > Now, that's not to say that in addition to the mailing lists
>     there
>     >> > couldn't
>     >> > (or shouldn't) be an official OWASP Forum.  I'm just pointing
>     out that
>     >> > replacing the mailing lists with a forum might not be the
>     best idea.
>     >> >
>     >> > Also, I'm curious to know how you mean, "mailing lists don't
>     scale
>     >> > well."
>     >> > In what way?  How are they deficient?  How don't they "scale
>     well"?  I'm
>     >> > not
>     >> > being carcastic, just curious by what you mean as it pertains
>     to the
>     >> > OWASP
>     >> > lists.
>     >> >
>     >> >
>     >> > ~Kevin
>     >> >
>     >> > On Thu, Mar 5, 2009 at 1:27 PM, Tim Bass
>     <tim.silkroad at gmail.com <mailto:tim.silkroad at gmail.com>> wrote:
>     >> >>
>     >> >> Dear All,
>     >> >>
>     >> >> Mailing lists to not scale well.
>     >> >>
>     >> >> OWASP should consider moving to a modern, professional
>     forum, like
>     >> >> vBulletin.
>     >> >>
>     >> >> The Ubuntu Forums
>     >> >> Linux Questions
>     >> >> The UNIX and Linux Forums
>     >> >>
>     >> >> etc.
>     >> >>
>     >> >> All these busy forums use vB.
>     >> >>
>     >> >> Email is so "last century" LOL.
>     >> >>
>     >> >> Cheers.
>     >> >> _______________________________________________
>     >> >> OWASP-Leaders mailing list
>     >> >> OWASP-Leaders at lists.owasp.org
>     <mailto:OWASP-Leaders at lists.owasp.org>
>     >> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>     >> >
>     >> >
>     >> >
>     >> > --
>     >> > Kevin Reiter
>     >> > NJNYMetro OWASP
>     >> >
>     >> > _______________________________________________
>     >> > OWASP-Leaders mailing list
>     >> > OWASP-Leaders at lists.owasp.org
>     <mailto:OWASP-Leaders at lists.owasp.org>
>     >> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>     >> >
>     >> >
>     >> _______________________________________________
>     >> OWASP-Leaders mailing list
>     >> OWASP-Leaders at lists.owasp.org
>     <mailto:OWASP-Leaders at lists.owasp.org>
>     >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>     >
>     > _______________________________________________
>     > OWASP-Leaders mailing list
>     > OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>     > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>     >
>     >
>     _______________________________________________
>     OWASP-Leaders mailing list
>     OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>   


More information about the OWASP-Leaders mailing list