[Owasp-leaders] OWASP Mailing Lists

Jason Li jason.li at owasp.org
Thu Mar 5 18:36:52 EST 2009

Just to clarify what Dinis said about forums, we considered migrating from
mailing lists to forums before and to that end, Larry setup a phpBB system.
But this system was never actually publicized to the OWASP Community so
we'll never know if it would have lived or died on its own. It was squahsed
before it even got off the ground because there was huge internal uproar at
the thought of doing a full cutover and so the forums were abandoned.

I don't want to discourage anyone from trying to put forth any new effort as
Dinis mentions below, but I would temper any ethusiasm with regards to
forums with the fact that we've been down this path before. In theory we
could have forums and mailing lists co-existing, but in practice it's not
very realistic as people aren't very likely to use both systems. The
existing inertia for everyone currently using mailing lists is far too great
and so any new users that stumble into the forums will find them to be
eerily "dead". We came to the conclusion that to keep people happy while
still giving forums a chance to survive, the forums would have to support
cross pollination of mailing lists

So for anyone who wants to pick up the Forums torch, be aware of this fact.
Anyone interested should start by taking a look at at the functionality
provided by M2F (http://mail2forum.com/). This module provides exactly the
functionality we need to support integrated mailing lists and forums in a
way that keeps the mailing lists working the way that everyone  is used to,
but at the same time opens up a fully linked forum that would be far more
welcoming to new audiences. The only problem is that they're still working
on supporting phpBB3 (the last version they support, phpBB2 has been
deprecated). In fact, if there's any intrepid OWASP programmers out there,
the M2F team is looking for developers :-)

-Jason Li-
-jason.li at owasp.org-

On Thu, Mar 5, 2009 at 6:08 PM, dinis cruz <dinis.cruz at owasp.org> wrote:

> Hey guys, there is no problem with OWASP forums, in fact we have
> implemented 'official' OWASP forums in the past (I believe it was at
> http://forums.owasp.org/) and the problem was that NOBODY used it  :)
> Remember that with OWASP there is NOTHING stopping any of you from trying
> new stuff for your project or chapter (of course that it should be
> compatible with our Code of Ethics<http://www.owasp.org/index.php/About_The_Open_Web_Application_Security_Project> ,
> and if it does, just about anything can be done)
> What is great about OWASP, is that because we are open and most people
> don't have time to deal with 'non working' stuff, what tends to happen (and
> be given attention) are things that ACTUALLY work (like the WIKI<http://www.owasp.org> ,
> Mailing Lists <https://lists.owasp.org/mailman/listinfo/> , local chapters<http://www.owasp.org/index.php/Category:OWASP_Chapter> ,
> Seasons of Code<http://www.owasp.org/index.php/Category:OWASP_Season_of_Code> ,
> OWASP Project Assessment Criteria<http://www.owasp.org/index.php/Category:OWASP_Project_Assessment> ,
> OWASP Committees <https://www.owasp.org/index.php/Global_Committee_Pages>, etc..).
> So for the ones that are proposing Forums, GO FOR IT , show us how they
> work for your project or chapter. Make them SO powerful that the mailing
> lists become redundant :)
> Finally, and Tim sorry to pick on you, but (my personal opinion) is that
> comments like these are out of line (i.e. not acceptable) in the
> owasp-leaders list (especially in the context they were written):
> "...Obviously, and I am not being caustic, you don't manage a
> large, modern, commercial forum..."
> "...Email discussion lists are antique relics of the IT of yesterday...."
> "... Email is so "last century" LOL....
> One of the (good) lessons that I learned from being involved with the OWASP
> Seasons of Code and the OWASP Summit, is the high level of professionalism
> and 'people quality' (values, ethics, good humor, etc...) that we have in
> our community. After thinking about it (as in "WHY is that"?), I realized
> that due to our open culture and the fact that only the people who actually
> DO something get airtime and visibility, we have a very healthy
> self-selection process of active owasp-leaders.
> So, the next time you think about sending a negative or
> very-opinionated  comment, remember that we are all very experienced
> professionals who tend to be quite good at what they do and have a wealth of
> experience in lots of different areas. Also remember that due to our
> multi-cultural reach what is 'funny' in one side of the world is 'not funny
> at all' in the other. It's all about common-sense and being sensitive to
> other's opinions, values and knowledge.
> Bottom line, let's keep these discussions ALWAYS on productive mind-sets,
> and when possible don't just criticize, but offer solutions.
> So in this case, don't say 'Mailing lists suck' , but say 'Hey I've set-up
> a forum (at Yahoo groups because I'm old-school) and I'm going to show there
> how it can work'
> Remember that OWASP IT should be focusing on scalability, reliability and
>  resilience (look at how Paulo Coimbra was so worried about the fact that
> COMMENT ABOUT ... was not being received by other OWASP members a couple
> minutes after it was sent.
> Note, the major sign of something becoming invaluable and "can't live
> without" is when it fails, people notice about it and raise alerts (our WIKI
> and Mailing lists are good examples). Remember that we had 'official OWASP'
> forums in the past (and blogs) who started, lived and died without much
> 'noise' from our community.
> Final point, I agree 100% that OWASP needs to explore the 'Web 2.0'
> collaboration tools, and that they can dramatically improve some of our
> current technological bottlenecks, so my challenge to you is: Show us
> which one works, so that we can scale it out to the rest of the community.
> Dinis Cruz
> 2009/3/5 Arturo 'Buanzo' Busleiman <buanzo at buanzo.com.ar>
>> Hash: SHA512
>> Tim Bass wrote:
>> > Obviously, and I am not being caustic, you don't manage a large,
>> > modern, commercial forum.
>> OWASP does not run a commercial <insert term here>. It's a non-for-profit
>> web security organization.
>> If you're willing to provide all the know how and resources to make what
>> you claim happen, then make
>> a proposal. I'm sure a good % of people will love a forum, and another %
>> of those people will love a
>> mobile skin so they can use their smartphones to access it painlessly.
>> - --
>> Arturo "Buanzo" Busleiman / Arturo Busleiman @ 4:900/107
>> Independent Linux and Security Consultant - SANS - OISSG - OWASP
>> http://www.buanzo.com.ar/pro/eng.html
>> Mailing List Archives at http://archiver.mailfighter.net
>> Version: GnuPG v1.4.9 (GNU/Linux)
>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>> iEYEAREKAAYFAkmwT60ACgkQAlpOsGhXcE36GgCbBp8rApKgcuuIsJ6KptrdlP4A
>> N4UAn0jyevhIW7WlxE342cgCbsOzD5Zy
>> =5uPt
>> -----END PGP SIGNATURE-----
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20090305/892c920e/attachment.html 

More information about the OWASP-Leaders mailing list