[Owasp-leaders] Mailing list -> Forum

Laurence Casey larry.casey at aspectsecurity.com
Wed Feb 9 06:50:10 EST 2011

I would like to respond to all of the points below, because they are all
good points. See below (-->).


I use Google in those cases. How about providing a good designed search
function on owasp.org?

--> Using Google to search the mailman achieves does make it easier,
agree. In using Google, we are forcing people to disengage from our
content for searches, while forums will keep them local with built in
search. Not sure people actually search archives, so this probably
shouldn't be a determining factor. 

> A move to a forum will build a stronger OWASP community (hopefully), 
> allow for greater transparency among the various chapters, committees 
> and the board, and will give new members a place to come and more
> interact with the other members of the OWASP community.   It would
> searchable record of all the collective OWASP security wisdom in one 
> place.

>>The searchable record is always there supposed the list(s) in question
has the archives publicly available and the search bots find them.

--> Relying on bots to build out search list while we could have the
ability built in would offer more efficient searches. 

> So does anyone have any strong opinions on the future of 
> forum.owasp.org?  Larry Casey has generously offered to set it up, and

> I think it would be a huge plus for the community.  As Michael Coates 
> suggested, we could then start gradually migrating particular 
> volunteer groups as a beta, and if it works out, we can ultimately 
> migrate more mailing lists over to a forum.

>> You're really rushing into this? If you really intend to do this,
please design it properly, see below.

>> Call me an old fart but I am not really in favor of forums.

--> This has been on the table for a couple years now. I even went as
far as to setup a forum for testing. Since it was not widely announced,
that is most likely why it didn't take off. I would disagree that we are

There are several catches:

* it's less personal, unless you strongly encourage people to
  use their real names and list them also in the posting.

--> Totally agree that it is less personal, if we could force usernames
to real names with an approval process this could help reduce that

* it requires users to change their reading behavior. E-mails
  are pushed out, forums are working in pull mode. (some
  people don't use rss feeds).

--> Forums do have the ability to email individual or complete sub forum
posts. You would only need to go to the forum to post replies.

* you need to reload the page in order to follow a discussion
  (ok, you can have e.g. a piece of script doing this for you but it's
  not KISS). Well, or send notifications out which you need
  to do anyway.

--> To me this is a plus. You don't have to wait for an email to come
through. It would actually be easier to see posts in order. Mailing
lists have the tendency of becoming branched and out of order.

* the ratio of text vs. graphics (i.e. signal to noise) is worse

--> This is actually great. We could have icons for different members
(OWASP Follower, OWASP Member, Corporate Member,...). Nothing wrong with
having a little art while you read.

* some people do like the idea to read what's going on with any client
  while on the road, also a mobile client. Those devices have no a 24''
  inch display, so pure text is the right thing(TM) here.

--> Having threads emailed to you will resolve this problem as mentioned

* Forums I know provide less sort functionality as opposed to mailman
  archives, e.g. in terms of discussion threads, time, people and so on.
  The only thing with mailman is that you need to tune mailman though
  to get the right archiving options, e.g. low traffic lists and
  one month archiving doesn't make sense.

--> Forums offer more functionality! No tuning in mailmain is going to
offer the same level.

* for sure you can pretty much loose the overview if you look at a forum
  opposed to e-mails which you have in your folder. This is IMO also
  true if for most forums with their crappy threaded viewing options
  compared to mailman archives.

--> Not sure what forum threading you are talking about. I have seen
some real bad threading, but that is not what I am seeing in the
software I had setup a couple years ago.

* in some countries there are legal restrictions. E.g. in Germany there
  were some rulings from different courts saying that the owner has
  legal responsibility for what people are writing, in a forum. There
  lawyers around who make their living by money sending owners of a
  cease-and-desist orders because people posted links to "illegal
  insulting others, criticizing products and so on and so forth.

--> This is something a lawyer would have to chime in on, but since
OWASP is a US based non-profit I think this wouldn't be a problem. How
does this differ from a publically searchable mailing list? Forums offer
the ability to moderate risky content on the fly. Mailman requires back
end work to moderate content. Over the past year alone, I have been
asked to remove personal information, which could easily be done by
moderators. This empowers the leaders.

  I know it sucks badly and I don't know whether this also applies to
  owasp-germany list if it would be a forum as it is hosted in the
  US. Currently though the 4 maintainers of this list are all Germans.
  Personally I do not want to be held legally responsible for postings.
  This would need to be checked by a lawyer. Also for other countries.

  Maybe the machine translation helps shedding light on this:
  (note the last paragraph about US courts)

* Security, usability: One more account, one more password. Not
  is using on every device a password manager.

--> Not sure it's possible, but I would be looking to integrate with
Wiki for accounts. Even if this is not possible, accounts are part of
conducting business online. I use password safe which is most likely the
same way others work. 

> We can also port the existing mail lists archives into the forum, for 
> historical purposes.
> This would give a centralized home for all the regional chapters, 
> committees, projects, conferences and the board.
> So leaders, what say you?

Please keep mailman. As the archives are 100% text you could as well
pour them in any web based forum.

And if you still want a forum: pipe the postings also to the e-mail
subscribers as I and maybe others still prefer e-mails.

--> Porting all of the archives to the forum and removing the existing
mailman archives would be the plan. 


OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org

More information about the OWASP-Leaders mailing list