[Owasp-leaders] OWASP Mailing Lists

Mark Bristow mark.bristow at owasp.org
Thu Mar 5 16:34:14 EST 2009


A few years back I ran a MyBB platform for about 10k users.  It  
natively supported a "mail notification" feature that effectively  
turned each gorum into a mailing list as well as rss feeds.

I believe that a hybrid model would vetter suit our orginizations  
needs and would encourage the web working group to look more deeply  
into a requirements analysis and rwcomendation to the board.

-Mark

Sent from my wireless device

On Mar 5, 2009, at 4:23 PM, Rex Booth <rex.booth at owasp.org> wrote:

> Jason brings up the most important point: what is the purpose of the
> tool?  If it's for relatively immediate and transient communication,
> then a mailing list is fine.  If it's as a component of a knowledge
> repository and a way to educate members, then a forum is far better
> (IMO).  From my perspective, our chosen method of group communication
> needs to fit both of the above requirements, and likely several  
> more.  I
> think some sort of requirements analysis is warranted if it hasn't
> already begun.
>
> IMHO: Agreed 100% that mailing lists are a horrible tool for bringing
> new members into the fold and that a forum would be a far more useful
> tool.  That said, I don't want to browse a forum in order to fire  
> off a
> message to the leaders list or my local chapter.  A blended approach
> would indeed be ideal.
>
> That said, I'm absolutely useless in identifying a solution. ;)
>
> Rex
>
> Jason Li wrote:
>> Migration from mailing lists to forums has been an ongoing discussion
>> at OWASP since at least the OWASP Summit in Portugal if not before.
>>
>> To answer Arshan's question, the benefits that I personally see from
>> forums is in drawing new people into the OWASP community.
>> Functionally, mailing lists are great and do their job, but for  
>> anyone
>> coming into the OWASP fold, mailing lists are not a good way to
>> acclimate to the environment.
>>
>> There are mailman archives but I don't think anyone will claim that
>> those archives are very user friendly for a new person. The nature of
>> forums allows a newcomer to go to the forum group that they're
>> interested in and see the most active and relevant activity on that
>> forum. As a newcomer, joining a mailing list, you are hit with a
>> deluge of emails for which you have no context and possibly no
>> interest in seeing. That's not the kind of environment I think we  
>> want
>> to foster.
>>
>> There's also some administrative benefits as well - but when the  
>> OWASP
>> Web Site Working Group had this discussion at the Summit, it was
>> primarily from a "how do we make this better for new people?"  
>> perspective.
>>
>> Before any further argument ensues, let me clearly state that both
>> Larry and the Web Site Working Group recognizes that people want to  
>> be
>> plugged into whatever medium we use to facilitate OWASP communication
>> (myself included). And that means people want to be able to send and
>> receive messages via email. We get that, we really do.
>>
>> What the OWASP Web Site Working Group has been exploring are message
>> forums that support cross pollination with mailing lists so that a
>> mailing list behaves essnetially as a forum group (new message  
>> posting
>> = new email message sent to list, sending an email to the list = new
>> message posting). Unfortunately, there's not a whole lot out there
>> that's current. M2f for phpBB, which as far as I can tell is the best
>> free option out there, is not yet supporting phpBB 3.x.
>>
>> If anyone has any suggestions, please send them my way and I'll pass
>> them on.
>>
>> --
>> -Jason Li-
>> -jason.li <http://jason.li>@owasp.org-
>>
>>
>> On Thu, Mar 5, 2009 at 2:59 PM, Tim Bass <tim.silkroad at gmail.com
>> <mailto:tim.silkroad at gmail.com>> wrote:
>>
>>    Actually, I don't care what OWASP IT does.   The list, and how it
>>    works, speaks for itself.   I have seen the (forum v. email) flame
>>    wars before and am completely disinterested. Most of the arguments
>>    will be emotional and people with no forum experience will make  
>> wild,
>>    clueless claims, and the discussion will go no where.
>>
>>    Just go to http://ubuntuforums.org/   and you will see a  
>> professional
>>    forum on vBulletin.
>>
>>    Comparing good running, modern forum software to an email list  
>> is like
>>    comparing a F16 fighter jet to a lawnmower. For example, with
>>    vBulletin, there is an entire ecosystem of thousands of plugins  
>> that
>>    do everything under the sun  (www.vbulletin.org
>>    <http://www.vbulletin.org>) from antispam bots to
>>    slick skins for mobile phones.
>>
>>    I am not going to get into a flame war over this crummy mailing  
>> list
>>    software, ROTFL
>>
>>    This is my last post on the topic.  I have managed an OWASP  
>> email list
>>    and I manage a forum with over 1,000,000 unique visitors a  
>> month, and
>>    their is no comparison, and to get into a tit-for-tat discussion  
>> on it
>>    would be like trying to teach a fish to climb a mountain, LOL
>>
>>    Email discussion lists are antique relics of the IT of yesterday.
>>
>>
>>    On Fri, Mar 6, 2009 at 2:45 AM, Arshan Dabirsiaghi
>>    <arshan.dabirsiaghi at aspectsecurity.com
>>    <mailto:arshan.dabirsiaghi at aspectsecurity.com>> wrote:
>>> I agree with Kevin, for what it's worth. Does anyone else view
>>    the benefits
>>> of forum communication as worth making the global switch?
>>>
>>> Arshan
>>> ________________________________
>>> From: owasp-leaders-bounces at lists.owasp.org
>>    <mailto:owasp-leaders-bounces at lists.owasp.org> on behalf of Kevin
>>    Reiter
>>> Sent: Thu 3/5/2009 2:41 PM
>>> To: owasp-leaders at lists.owasp.org
>>    <mailto:owasp-leaders at lists.owasp.org>
>>> Subject: Re: [Owasp-leaders] OWASP Mailing Lists
>>>
>>> Hi Tim,
>>>
>>> I was basing my comments on my personal experience with other forum
>>> software, which is why I used the words "typically" and "can
>>    be", meaning
>>> "not in every single case."  I've not seen a forum that allows a
>>    user to
>>> receive an e-mail for every single post, including new topics
>>    not previously
>>> subscribed to, which is why I stated that observation.  I'm not
>>    trying to
>>> start a flamewar over this, and I'm obviously not the expert
>>    here on this -
>>> I was just voicing _my_ opinion.
>>>
>>> ~Kevin
>>>
>>> On Thu, Mar 5, 2009 at 2:26 PM, Tim Bass <tim.silkroad at gmail.com
>>    <mailto:tim.silkroad at gmail.com>> wrote:
>>>>
>>>> Hi Kevin,
>>>>
>>>> I gave my opinion.   I manage a large forum with over 3,000,000
>>    page
>>>> views a month and over 70,000 registered users and none of your
>>>> arguments
>>>> are correct, on modern, correctly managed forums. Spam is easier to
>>>> manage. There are modern plugins for this.  For folks who have
>>    mobile,
>>>> they
>>>> can have email forwarded or the forum can have a mobile skin.   All
>>>> modern forum as subscribe in/out functions for new posts, if
>>    that is
>>>> what
>>>> users want.   Bots are easy to manage with simple plugin.
>>>>
>>>> Obviously, and I am not being caustic, you don't manage a large,
>>>> modern, commercial forum.
>>>>
>>>> Cheers.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Fri, Mar 6, 2009 at 2:00 AM, Kevin Reiter
>>    <kevin.reiter at owasp.org <mailto:kevin.reiter at owasp.org>>
>>>> wrote:
>>>>> I disagree about this for a few reasons (and feel free to
>>    disagree with
>>>>> me
>>>>> on this :)
>>>>>
>>>>> - Forums can be difficult to access/navigate from mobile devices.
>>>>> - Forum software requires constant maintenance (patches, version
>>>>> upgrades,
>>>>> spambot registration preening, etc.) to maintain security for
>>    both the
>>>>> forum
>>>>> application as well as the machine it resides on.
>>>>> - Forums typically do not let members know when there are new
>>    posts -
>>>>> only
>>>>> if you're already subscribed to an existing topic.  If you
>>    don't login
>>>>> and
>>>>> check, you're not made aware of any important announcements.
>>>>> - Forums are higher targets for automated "sploit bots".
>>>>>
>>>>> Now, that's not to say that in addition to the mailing lists
>>    there
>>>>> couldn't
>>>>> (or shouldn't) be an official OWASP Forum.  I'm just pointing
>>    out that
>>>>> replacing the mailing lists with a forum might not be the
>>    best idea.
>>>>>
>>>>> Also, I'm curious to know how you mean, "mailing lists don't
>>    scale
>>>>> well."
>>>>> In what way?  How are they deficient?  How don't they "scale
>>    well"?  I'm
>>>>> not
>>>>> being carcastic, just curious by what you mean as it pertains
>>    to the
>>>>> OWASP
>>>>> lists.
>>>>>
>>>>>
>>>>> ~Kevin
>>>>>
>>>>> On Thu, Mar 5, 2009 at 1:27 PM, Tim Bass
>>    <tim.silkroad at gmail.com <mailto:tim.silkroad at gmail.com>> wrote:
>>>>>>
>>>>>> Dear All,
>>>>>>
>>>>>> Mailing lists to not scale well.
>>>>>>
>>>>>> OWASP should consider moving to a modern, professional
>>    forum, like
>>>>>> vBulletin.
>>>>>>
>>>>>> The Ubuntu Forums
>>>>>> Linux Questions
>>>>>> The UNIX and Linux Forums
>>>>>>
>>>>>> etc.
>>>>>>
>>>>>> All these busy forums use vB.
>>>>>>
>>>>>> Email is so "last century" LOL.
>>>>>>
>>>>>> Cheers.
>>>>>> _______________________________________________
>>>>>> OWASP-Leaders mailing list
>>>>>> OWASP-Leaders at lists.owasp.org
>>    <mailto:OWASP-Leaders at lists.owasp.org>
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Kevin Reiter
>>>>> NJNYMetro OWASP
>>>>>
>>>>> _______________________________________________
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org
>>    <mailto:OWASP-Leaders at lists.owasp.org>
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>
>>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>    <mailto:OWASP-Leaders at lists.owasp.org>
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>    _______________________________________________
>>    OWASP-Leaders mailing list
>>    OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org 
>> >
>>    https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>> --- 
>> ---------------------------------------------------------------------
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders


More information about the OWASP-Leaders mailing list