[Owasp-leaders] Rackspace, Migration, Stepping down

Jason Li jason.li at owasp.org
Wed Aug 17 21:56:33 EDT 2011


Alison and Kate can speak more authoritatively on OWASP finances - but when
I last asked them about such charges, I was told that was for graphic design
work, not for systems administration. My understanding has been that OWASP
has paid for Larry's graphic design work but that he volunteers his services
as systems administrator. My understanding is that these are billed by
Aspect rather than paid directly to Larry by OWASP because there's some fees
or something similar that are saved by all parties involved by going through
the process. But I don't personally know exactly why this process is the way
it is (saving a check fee maybe? I don't know).

I would welcome any clarification for those "in the know".

With regards to the state of the site, I know that everyone simply wants to
help by pointing it out. I'm also aware that it's a significant
inconvenience for all of us when services are unavailable. And
unfortunately, we have no established process or chain of escalation for
reporting such issues. Larry does have a monitoring system setup that
reports on services that are up and sends out alerts when things go down and
he attends to them as quickly as he can. Obviously more volunteer help would
be great and welcome.

Put it this way - you have a lot of experience leading ESAPI. Imagine that
you have the ESAPI baseline and you have Jenkins continuous integration
providing you alerts whenever the build breaks. Then imagine that for some
random reason completely out of your control, random bit errors are
introduced into the source tree that breaks the build. You're asleep, and
Jenkins sends you an alert that the build is broken. An ESAPI user is trying
to build from SVN and notices the build is broken and sends a message to
indicate that the build is broken. A bunch of other ESAPI list subscribers
reply - "yeah - broken for me too!". You wake up, and you have a ton of
messages in your mailbox about the build being broken. You diligently revert
the random bit flips and magically the build is working again and life
happily goes on. Everyone had the best of intentions in sending those emails
- but did it really help you at all?

I would love to see a better process for reporting outages and more clarity
on what Larry's role is/was for OWASP.

With respect to graphic design rates, I'm all about RFPs and open processes.
For those on the chain without context, there was a discussion on the
Committee Chairs mailing list regarding work previously done (
My understanding was that we were talking about design work in the context
of stuff that was done in the past - and work where the ownership status is
unclear. If there is design work that was done in the past prior to OWASP's
formal engagement with Larry, and that work is going to be used outside of
the original purpose, then we need to clarify what is to be done about that
work. That's the context I was speaking to in terms of rates. If we want to
look back and see how we have paid other graphic designers for other similar
work in the past, then the figures seem more than reasonable.

Of course moving forward things should always be open and competitive and
I'm not suggesting that we should restrict ourselves to one designer.

Jim - I am not trying to shame anyone. I am simply trying to see that Larry
gets the recognition he deserves for his contributions to OWASP. Judging
from the other replies of support on this thread, I don't think anyone else
interpreted my message to be anything other than me trying to praise and
highlight the job that Larry has been doing under less than ideal
circumstances. His volunteer efforts are an inspiration to us all and it's
unfortunate that there is so much confusion as to his role.

Any clarifications that need to be made about his paid or unpaid role don't
diminish those contributions or the recognition and respect he deserves.


On Wed, Aug 17, 2011 at 8:17 PM, Jim Manico <jim.manico at owasp.org> wrote:

>  Jason,
> First of all, Larry is awesome. I consider him a personal friend and have
> reached out to support him when I can.
> Second, haven't we been paying Aspect for some of Larry's services? I've
> seen bills come in from Aspect for Larry. I'm just confused between what
> OWASP pays Larry directly, what Larry volunteers, and what we pay to Aspect
> for Larry's time. To my knowledge this has never been made clear to the
> community.
> Third, I'm sorry that is "pains you" when folks state when the site goes
> down, but it's also pains the European and other non-US communities who are
> trying to edit content. When folks state the site is down, which happens on
> a regular basis, it's not to attack Larry or anyone else, it's to provide
> information.
> Fourth, there are many capable designers all over the world (with great
> skill) who could feed several families on 50$USD/hr. It's shameful that you
> only compare Larry's rate to US resources. OWASP is a global community,
> right? If we put out RFP's worldwide you would be shocked to see what kind
> of full time resources we could leverage at rates much lower than 50$USD/hr.
> Larry is awesome and I'm grateful for his service regardless of his
> compensation. But I think it's critical that you tell "the rest of the
> story" before you literally try to shame the entire OWASP international
> community.
> --
> Jim Manico
> On Aug 17, 2011, at 6:54 PM, Jason Li <jason.li at owasp.org> wrote:
> Leaders,
> Last month there was a huge uproar about the need for OWASP to respect its
> leaders.
> I would like to bring to the community's attention a situation that has
> existed for far too long, where one of our greatest contributors has not
> been given due respect. In fact, I find that far too often, he is
> disrespected in the community.
> Larry Casey has contributed an enormous amount to the success of OWASP -
> contributions that go largely unnoticed until something goes wrong.
> There is a lot of confusion over his role at OWASP and I would like to
> share the facts as far I know them.
> Larry has spent the last several years serving as the *volunteer*
> administrator of OWASP's infrastructure. While OWASP has paid for the
> hardware, the bandwidth, etc, the actual task of administrating has been
> largely performed on a volunteer basis.
> Every time the OWASP site is down, it pains me to see the rapid flux of
> messages to the Leader's List saying "OWASP Site is Down" followed by the
> inevitable floods of "Me too!" "Me three!" " Me five hundred
> thousand!". Larry has abandoned personal events and plans in the past to
> attend to these outages as soon as possible - and we are not paying him to
> do that!
> OWASP has paid Larry directly for graphic design work in the past - but in
> terms of basic system administrative tasks, Larry has selflessly devoted
> countless hours of his time to keeping OWASP alive and well.
> When was the last time you've heard of a Board member, a Committee member,
> a project leader or a chapter leader dropping whatever they were doing to
> attend to something for OWASP?
> And yet we as a community somehow *expect* this of Larry.
> It is no wonder that he has been trying to step down since ***JULY 2009***
> ( <https://www.owasp.org/index.php/OWASP_Board_Meeting_July_09>
> https://www.owasp.org/index.php/OWASP_Board_Meeting_July_09).
> In that time, many people have raised their hand to volunteer to help. In
> fact, Larry invested some significant time setting up the supporting
> infrastructure to properly segregate and delegate administrative privileges
> for those folks. But no one has actually committed to following through when
> the going gets tough.
> And I don't blame them!
> We are all volunteers here at OWASP - I certainly don't want my phone
> ringing at 3AM on a Saturday with a message from the community complaining
> that the web site is down. I certainly don't want messages in my mailbox
> from random leaders impatiently asking when this will be setup, or that will
> be finished, or this can be done. I certainly don't want to bear the brunt
> of criticism while receiving none of the praise associated with
> administering the OWASP website and infrastructure.
> It's easy to be a volunteer systems administrator when there's nothing
> going wrong --- it all practically runs itself!
> But when things do go wrong, through no fault of anyone, Larry has been the
> *only* volunteer willing to take the task by the reigns and work the grind
> to make sure the site goes back up in a *timely* manner (believe it or not,
> our uptime is actually *very* good because outages are infrequent and
> attended to quickly).
> It is because Larry loves OWASP that he continues to do the job behind the
> scenes despite his expressed desire NOT to be saddled with the
> *responsibility* that comes with being a systems administrator.
> Larry is one of the few people at OWASP that I feel truly understands that
> being an OWASP leader comes with a *responsibility*. While other leaders
> miss meetings and skip deadlines, Larry has always executed the
> *responsibility* of maintaining our infrastructure. We leaders can only hope
> to follow that example in our roles.
> I feel we are grossly underestimating the value that Larry has provided in
> terms of systems administration. I question whether we can find a volunteer
> that is willing to *commit* to the same level, responding to outages in a
> timely manner even in the middle of personal events.
> For that level of service, we probably need to pay someone. In fact, we
> probably should have been paying Larry all along for the emergency
> administration services he provides.
> I see that several leaders have exclaimed their desire to see Larry
> continue on in his role. I too would be sad to see Larry go. We at OWASP
> have done a *terrible* job of showing Larry the respect he deserves and I am
> truly sorry that he feels the need to move on.
> I hope that as a community, we can determine a way to properly recognize
> Larry for his contributions and show him the respect he deserves - whether
> that respect is through compensating him fairly for his contributions that
> go far beyond what we can expect of a volunteer, or by simply respecting his
> wish to step aside.
> -Jason
> On Wed, Aug 17, 2011 at 6:12 PM, Laurence Casey < <larry.casey at owasp.org>
> larry.casey at owasp.org> wrote:
>> Leaders,****
>> ** **
>> I would like to thank everyone who I’ve net over the years both in person
>> and via email only. It has come the time for me to move on to other
>> projects. ****
>> ** **
>> The contract is just about done for Rackspace, so here is the plan.****
>> ** **
>> **1.       **Migrate OWASP’s wiki to the new hosted environment.****
>> **2.       **Migrate OWASP’s Ads to the new hosted environment.****
>> **3.       **Migrate OWASP Rugged Code to the new hosted environment.****
>> **4.       **Migrate OWASP’s email list content to the new hosted
>> environment. ****
>> ** **
>> Once OWASP is relocated to its new home, OWASP will need to find another
>> administrator to manage the new infrastructure. If somebody wants to step
>> forward now and help with the move, that would be the best time to set
>> things up the way you want. ****
>> ** **
>> Thank again for the opportunity to be a part of this great organization.*
>> ***
>> ** **
>> --Larry Casey****
>> ** **
>> ** **
>> _______________________________________________
>> OWASP-Leaders mailing list
>>  <OWASP-Leaders at lists.owasp.org>OWASP-Leaders at lists.owasp.org
>>  <https://lists.owasp.org/mailman/listinfo/owasp-leaders>
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> Committees-chairs mailing list
> Committees-chairs at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/committees-chairs
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20110817/d8338018/attachment-0001.html 

More information about the OWASP-Leaders mailing list