[Owasp-leaders] Mailing list -> Forum

Jerry Hoff jerry at owasp.org
Wed Feb 9 08:57:38 EST 2011


Hi Dirk -

Both points are valid.  Here is something to consider:

- for legal issues, we could continue either continue mailing lists for
those edge cases (such as German chapters of OWASP), or we could assign
a volunteer moderator to the forum.  Dirk, would those solve the legal
issue?

- as for email write to the forum, does anyone have a good idea on how
to perform an secure way to post to the forum based on email?  Depending
on the email headers is embarrassingly kludgy.  Hidden email addresses? 
(i.e. 235hlnvasd9vj031inafwf at owasp.org), unique ids associated with each
thread (no good for starting a new thread though). 

I'm 100% in support of full read/write email / forum integration.  I
just don't think there is a way to do this securely.  Read - yes.  Write
- doubtful.  Anyone else want to chime in on this problem?

Jerry


On 2/9/11 2:08 PM, Dr. Dirk Wetter wrote:
> Hi Jerry,
>
> 2 points still need to resolved IMO.
>
> Jerry Hoff schrieb, Am 02/09/2011 01:16 PM:
>> Hi everyone,
>>
>> I agree with Larry's points (my summary):
>>
>> - We can definitely implement a system (like on the mailing list) were we require or strongly encourage real names. 
>> - time efficiency is improved since you subscribe only to the threads you are interested in
>> - new posts pushed out over email - log in to respond.
> Disagreed. There should be a technically reasonable safe solution also
> allowing posts to a forum via e-mail from a registered e-mail address.
> That's likely everything else than rocket science.
>
>> - branching / following a thread would be improved
>> - i like the idea of icons for users + some kind of link to bio
>> - search-able forum history - old threads can be revived with context & decrease in duplicate questions (hopefully)
>> - legality should not be an issue - the server is hosted in the US, and is no different than the millions of other installed forums on the web.  Not sure what the issue would be here.
> I just talked to a lawyer (specialized in IT stuff and involved in
> such a case) about this. He confirmed that for Germany it doesn't matter
> where the server is located. It matters where the "sphere" or audience of
> the forum is located. If it is in German, and Germans are moderators of the
> list, they are potentially in trouble. As a result in Germany no one dares
> to have a non-moderated public forum. Background info is e.g. @
> http://www.edri.org/edrigram/number4.12/germanforum . Everybody here
> knows it's stupid but until there will be a ruling from any high court
> one has to live with this.
>
> @Laurence: Don't ask me why those vampire-lawyers didn't get
> that mailing lists from their perspective are similar. Probably
> they only know how to use a browser and are not interested in
> geekish mailing lists.
>
> CHeers,
>
> Dirk
>
>
>
>> Jerry
>>
>>
>>
>> On 2/9/11 12:50 PM, Laurence Casey wrote:
>>> I would like to respond to all of the points below, because they are all
>>> good points. See below (-->).
>>>
>>> --Larry
>>>
>>>
>>> I use Google in those cases. How about providing a good designed search
>>> function on owasp.org?
>>>
>>> --> Using Google to search the mailman achieves does make it easier,
>>> agree. In using Google, we are forcing people to disengage from our
>>> content for searches, while forums will keep them local with built in
>>> search. Not sure people actually search archives, so this probably
>>> shouldn't be a determining factor. 
>>>
>>>> A move to a forum will build a stronger OWASP community (hopefully), 
>>>> allow for greater transparency among the various chapters, committees 
>>>> and the board, and will give new members a place to come and more
>>> easily
>>>> interact with the other members of the OWASP community.   It would
>>> leave
>>>> searchable record of all the collective OWASP security wisdom in one 
>>>> place.
>>>>> The searchable record is always there supposed the list(s) in question
>>> has the archives publicly available and the search bots find them.
>>>
>>> --> Relying on bots to build out search list while we could have the
>>> ability built in would offer more efficient searches. 
>>>
>>>> So does anyone have any strong opinions on the future of 
>>>> forum.owasp.org?  Larry Casey has generously offered to set it up, and
>>>> I think it would be a huge plus for the community.  As Michael Coates 
>>>> suggested, we could then start gradually migrating particular 
>>>> volunteer groups as a beta, and if it works out, we can ultimately 
>>>> migrate more mailing lists over to a forum.
>>>>> You're really rushing into this? If you really intend to do this,
>>> please design it properly, see below.
>>>
>>>>> Call me an old fart but I am not really in favor of forums.
>>> --> This has been on the table for a couple years now. I even went as
>>> far as to setup a forum for testing. Since it was not widely announced,
>>> that is most likely why it didn't take off. I would disagree that we are
>>> rushing. 
>>>
>>> There are several catches:
>>>
>>> * it's less personal, unless you strongly encourage people to
>>>   use their real names and list them also in the posting.
>>>
>>> --> Totally agree that it is less personal, if we could force usernames
>>> to real names with an approval process this could help reduce that
>>> perception.
>>>
>>> * it requires users to change their reading behavior. E-mails
>>>   are pushed out, forums are working in pull mode. (some
>>>   people don't use rss feeds).
>>>
>>> --> Forums do have the ability to email individual or complete sub forum
>>> posts. You would only need to go to the forum to post replies.
>>>
>>> * you need to reload the page in order to follow a discussion
>>>   (ok, you can have e.g. a piece of script doing this for you but it's
>>>   not KISS). Well, or send notifications out which you need
>>>   to do anyway.
>>>
>>> --> To me this is a plus. You don't have to wait for an email to come
>>> through. It would actually be easier to see posts in order. Mailing
>>> lists have the tendency of becoming branched and out of order.
>>>
>>> * the ratio of text vs. graphics (i.e. signal to noise) is worse
>>>
>>> --> This is actually great. We could have icons for different members
>>> (OWASP Follower, OWASP Member, Corporate Member,...). Nothing wrong with
>>> having a little art while you read.
>>>
>>> * some people do like the idea to read what's going on with any client
>>>   while on the road, also a mobile client. Those devices have no a 24''
>>>   inch display, so pure text is the right thing(TM) here.
>>>
>>> --> Having threads emailed to you will resolve this problem as mentioned
>>> above.
>>>
>>> * Forums I know provide less sort functionality as opposed to mailman
>>>   archives, e.g. in terms of discussion threads, time, people and so on.
>>>   The only thing with mailman is that you need to tune mailman though
>>>   to get the right archiving options, e.g. low traffic lists and
>>>   one month archiving doesn't make sense.
>>>
>>> --> Forums offer more functionality! No tuning in mailmain is going to
>>> offer the same level.
>>>
>>> * for sure you can pretty much loose the overview if you look at a forum
>>> as
>>>   opposed to e-mails which you have in your folder. This is IMO also
>>>   true if for most forums with their crappy threaded viewing options
>>>   compared to mailman archives.
>>>
>>> --> Not sure what forum threading you are talking about. I have seen
>>> some real bad threading, but that is not what I am seeing in the
>>> software I had setup a couple years ago.
>>>
>>> * in some countries there are legal restrictions. E.g. in Germany there
>>>   were some rulings from different courts saying that the owner has
>>>   legal responsibility for what people are writing, in a forum. There
>>> are
>>>   lawyers around who make their living by money sending owners of a
>>> forums
>>>   cease-and-desist orders because people posted links to "illegal
>>> sites",
>>>   insulting others, criticizing products and so on and so forth.
>>>
>>> --> This is something a lawyer would have to chime in on, but since
>>> OWASP is a US based non-profit I think this wouldn't be a problem. How
>>> does this differ from a publically searchable mailing list? Forums offer
>>> the ability to moderate risky content on the fly. Mailman requires back
>>> end work to moderate content. Over the past year alone, I have been
>>> asked to remove personal information, which could easily be done by
>>> moderators. This empowers the leaders.
>>>
>>>   I know it sucks badly and I don't know whether this also applies to
>>> the
>>>   owasp-germany list if it would be a forum as it is hosted in the
>>>   US. Currently though the 4 maintainers of this list are all Germans.
>>>   Personally I do not want to be held legally responsible for postings.
>>>   This would need to be checked by a lawyer. Also for other countries.
>>>
>>>   Maybe the machine translation helps shedding light on this:
>>> http://translate.google.com/translate?hl=en&ie=UTF-8&sl=auto&tl=en&u=htt
>>> p://de.wikipedia.org/wiki/Forenhaftung&prev=_t
>>>   (note the last paragraph about US courts)
>>>
>>> * Security, usability: One more account, one more password. Not
>>> everybody
>>>   is using on every device a password manager.
>>>
>>> --> Not sure it's possible, but I would be looking to integrate with
>>> Wiki for accounts. Even if this is not possible, accounts are part of
>>> conducting business online. I use password safe which is most likely the
>>> same way others work. 
>>>
>>>> We can also port the existing mail lists archives into the forum, for 
>>>> historical purposes.
>>>>
>>>> This would give a centralized home for all the regional chapters, 
>>>> committees, projects, conferences and the board.
>>>>
>>>> So leaders, what say you?
>>> Please keep mailman. As the archives are 100% text you could as well
>>> pour them in any web based forum.
>>>
>>> And if you still want a forum: pipe the postings also to the e-mail
>>> subscribers as I and maybe others still prefer e-mails.
>>>
>>> --> Porting all of the archives to the forum and removing the existing
>>> mailman archives would be the plan. 
>>>
>>>
>>> Dirk
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders



More information about the OWASP-Leaders mailing list