[Owasp-leaders] Why it's ok to pay leaders

Paolo Perego thesp0nge at owasp.org
Sun Apr 15 15:39:39 UTC 2012


My friend that's why I think conf meet up and hackathons would be a good investment :)

"static analysis is fun... again"
Owasp Orizon project leader: http://orizon.sf.net
Owasp Italy R&D director

On 15/apr/2012, at 15:21, "Arturo 'Buanzo' Busleiman" <buanzo at buanzo.com.ar> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> I consider paying hotel, trips, food and a cold one a great coding motivator :)
> 
> On 04/15/2012 07:33 AM, Paolo Perego wrote:
>> Guys I want to spend my 0.02 cents on this topic. I'm not sure paying leaders to work on open
>> source projects is a good idea, and it's not in the open source DNA itself. Consider projects
>> like Rails, Linux Kernel... a lot of people contribute because: * projects are cool * they can
>> spend the experience with recruiters or with they job bosses.
>> 
>> People don't ask for money... they ask for cool high visibility projects to work into.
>> 
>> So, in my opinion it's better to save money for summits, to appsec conferences or to finance
>> local chapters to spread the voice... to make awareness.
>> 
>> Paying people to work for an open source projects is not in the open source DNA, is in the
>> software factory one. IMHO it's best to invest in infrastructure to be used, nor in financial
>> support for developers.
>> 
>> Paolo
>> 
>> 
>> On Fri, Apr 13, 2012 at 9:59 PM, Arturo 'Buanzo' Busleiman <buanzo at buanzo.com.ar 
>> <mailto:buanzo at buanzo.com.ar>> wrote:
>> 
>> Hell, I'll contribute a % out of my own pocket.
>> 
>> 
>> On Fri, Apr 13, 2012 at 4:05 PM, Eoin <eoin.keary at owasp.org <mailto:eoin.keary at owasp.org>>
>> wrote:
>> 
>> Hey jeff, see inline.
>> 
>> 
>> Eoin Keary BCC Risk Advisory Owasp Global Board +353 87 977 2988
>> <tel:%2B353%2087%20977%202988>
>> 
>> 
>> On 13 Apr 2012, at 15:02, Jeff Williams <jeff.williams at owasp.org 
>> <mailto:jeff.williams at owasp.org>> wrote:
>> 
>>> Hi everyone,
>>> 
>>> There?s some right on both sides of this argument actually.  The problem is that we?re not 
>>> clear the desired outcome, and it?s making the right strategy hard to see.
>> Desired outcome is defined in the proposal. It's simple. Reboot older projects, market and get
>> adoption for active projects.
>> 
>>> 
>>> There are those among us who want OWASP to become yet another security organization, deliver
>>> a few cool projects and deliverables, have chapters, host conferences, and have a CEO.
>> 
>> Who are these people? It's not about that for me. It's about people using owasp and appointing
>> value to the foundation. This gives rise to adoption and hence more secure software.
>> 
>>> We could easily do this.  In fact, we mostly have.  It?s a safe strategy, but it won?t result
>>> in any meaningful change in the world.  It?s design by committee.  It will never scale to the
>>> size and influence necessary to effect real change.  And frankly, it?s boring.
>> 
>> Reading 70 emails on spending a few dollars is equally boring. Can we not just go and do it. 
>> Owasp has lots of red tape compared to 5 years ago.
>> 
>> 
>>> 
>>> And then there are those of us (myself included) that are shooting for something 
>>> extraordinary.  This is not about OWASP.  It?s about changing the way the world creates 
>>> software.
>> 
>> Agreed so let's just go and do it. Current model does not work. Very little project activity.
>> We are turning into a conference event organisation.
>> 
>>> We know that OWASP can?t fund every good idea ? it can?t even know what the good ideas are.
>>> But we can use our time and money to create a platform that will support and encourage a ton
>>> of ideas ? and maybe if we are lucky one will actually work.
>> Agreed. Reboot is open for project submissions.
>> 
>>> 
>>> I urge you to abandon the idea of paying leaders.  Invest in the platform and great things 
>>> will happen.
>> People are the platform. What else is there? A wiki? Let's invest in the people.
>> 
>>> If projects need funds then they should use the OWASP Project Partnership Model 
>>> <https://docs.google.com/document/d/1ea4jWVDziLcZMTJUC5qW5psWYROpB-oPlqyl4Ei2xHA/edit?hl=en_US&authkey=CKycuTY
>>> 
>>> 
> <https://docs.google.com/document/d/1ea4jWVDziLcZMTJUC5qW5psWYROpB-oPlqyl4Ei2xHA/edit?hl=en_US&authkey=CKycuTY>>
>>> .
>> 
>> That model was announced last September, how is it going? Is it getting much traction. What 
>> projects are under this model?
>> 
>>> I am and it works.  Encourage crazy experiments.  Figure out a way to get appsec to go viral.
>>> Give a little support to a thousand appsec projects to help them bloom and grow, not just a
>>> chosen few.
>>> 
>> No projects will be chosen. We had a rough leadership vote a few weeks back but individuals 
>> need to propose projects.
>> 
>>> --Jeff
>>> 
>>> 
>>> 
>>> On Apr 13, 2012, at 7:44 AM, Eoin <eoin.keary at owasp.org <mailto:eoin.keary at owasp.org>>
>>> wrote:
>>> 
>>>> Hi,
>>>> 
>>>> The wiki page is here: https://www.owasp.org/index.php/Projects_Reboot_2012
>>>> 
>>>> I think we have debated this enough, written blogs and had phone conversations. I hope for
>>>> the board to ratify, or not the proposal today.
>>>> 
>>>> 
>>>> Eoin
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>> On 13 April 2012 11:10, John Wilander <john.wilander at owasp.org 
>>>> <mailto:john.wilander at owasp.org>> wrote:
>>>> 
>>>> I would prefer a referendum among leaders preceded by both sides presenting their side of
>>>> the matter on a wiki tab each. We would also need a info page what is actually proposed.
>>>> "Pay" is too vague. This is an important question for the foundation. If a majority of
>>>> leaders vote the community will have a much easier time accepting the outcome than if the
>>>> board decides.
>>>> 
>>>> If the board doesn't want a referendum I assume you will not take part in the discussion
>>>> nor the vote, Eoin, since it's your proposal.
>>>> 
>>>> Regards, John
>>>> 
>>>> -- My music http://www.johnwilander.com <http://www.johnwilander.com/> Twitter
>>>> https://twitter.com/johnwilander CV or Résumé http://johnwilander.se
>>>> <http://johnwilander.se/>
>>>> 
>>>> 13 apr 2012 kl. 11:33 skrev Eoin <eoin.keary at owasp.org <mailto:eoin.keary at owasp.org>>:
>>>> 
>>>>> Im afraid that is not true..... The 2008 summer of code, leaders were paid. Great
>>>>> projects were delivered.... check the wiki.
>>>>> 
>>>>> Can we let the board decide this matter? It is what the board is for.
>>>>> 
>>>>> On 12 April 2012 16:05, Dennis Groves <dennis.groves at owasp.org 
>>>>> <mailto:dennis.groves at owasp.org>> wrote:
>>>>> 
>>>>> Its not open to all, OWASP leaders must not be paid by OWASP. Did you not read Dinis's
>>>>> message? You seem to fail to understand that OWASP has been down this route of paying its
>>>>> leaders at least twice and it failed both times.
>>>>> 
>>>>> Once you go down that route you destroy OWASP's meritocracy and cease to be the an open
>>>>> social organization.
>>>>> 
>>>>> You create a corporation; and corporations are closed not open. You don't for example
>>>>> share openly the salaries of all the different paid employees with each other. Why? Did
>>>>> you watch the TED talk about morality in animals? Even monkeys refuse to work under such
>>>>> conditions. So, you must start closing OWASP. This is no longer OWASP its CWASP.
>>>>> 
>>>>> You are right this shouldn't need to be up for discussion, but clearly some of members
>>>>> still fail to understand that this is the very fabric of OWASP and that we not only is
>>>>> paying OWASP leaders verboten; it is tantamount destroying OWASP, and I know you are not
>>>>> advocating this! :-)
>>>>> 
>>>>> *I have choose just a single problem,that would result - Dinis has identified over 15 in
>>>>> his email that would require resolutions to make it work*
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> -- Dennis Groves <http://about.me/dennis.groves>, MSc dennis.groves at owasp.org
>>>>> <mailto:dennis.groves at owasp.org>
>>>>> 
>>>>> <http://www.owasp.org/>
>>>>> 
>>>>> /This work is licensed under the Creative Commons Attribution-NonCommercial-NoDerivs 3.0
>>>>> Unported License. To view a copy of this license, visit
>>>>> http://creativecommons.org/licenses/by-nc-nd/3.0/ or send a letter to Creative Commons,
>>>>> 444 Castro Street, Suite 900, Mountain View, California, 94041, USA./
>>>>> 
>>>>> 
>>>>> 
>>>>> On Thu, Apr 12, 2012 at 15:08, Kenneth Van Wyk <ken at krvw.com <mailto:ken at krvw.com>>
>>>>> wrote:
>>>>> 
>>>>> OK, gotta chime in. I've followed this thread, and frankly, I can't even imagine why it's
>>>>> up for discussion.
>>>>> 
>>>>> If OWASP has money to fund a project/event/whatever, AND
>>>>> 
>>>>> Bidding on that funded effort is open to all, AND
>>>>> 
>>>>> There is a fair and equitable selection process, with appropriate checks and balances,
>>>>> removal of conflicts of interest, AND
>>>>> 
>>>>> An OWASP Leader happens to be selected, THEN
>>>>> 
>>>>> It's a win for everyone.
>>>>> 
>>>>> OWASP gets the effort from the person(s) selected.
>>>>> 
>>>>> The selected person(s) gets revenue for his/her efforts.
>>>>> 
>>>>> I mean, DUH! Why aren't we all doing a face-palm over this non-issue?
>>>>> 
>>>>> Please explain what I'm missing here.
>>>>> 
>>>>> Cheers,
>>>>> 
>>>>> Ken van Wyk
>>>>> 
>>>>> 
>>>>> 
>>>>> _______________________________________________ OWASP-Leaders mailing list 
>>>>> OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org> 
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>> 
>>>>> 
>>>>> 
>>>>> _______________________________________________ OWASP-Leaders mailing list 
>>>>> OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org> 
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> -- Eoin Keary OWASP Global Board Member (Vice Chair)
>>>>> 
>>>>> https://twitter.com/EoinKeary
>>>>> 
>>>>> 
>>>>> _______________________________________________ OWASP-Leaders mailing list 
>>>>> OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org> 
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>> 
>>>> 
>>>> 
>>>> 
>>>> -- Eoin Keary OWASP Global Board Member (Vice Chair)
>>>> 
>>>> https://twitter.com/EoinKeary
>>>> 
>>>> 
>>>> _______________________________________________ OWASP-Leaders mailing list 
>>>> OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org> 
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> 
>> _______________________________________________ OWASP-Leaders mailing list 
>> OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org> 
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> 
>> 
>> 
>> _______________________________________________ OWASP-Leaders mailing list 
>> OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org> 
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> 
>> 
>> 
>> 
>> -- "... static analysis is fun, again!"
>> 
>> OWASP Orizon project leader, http://github.com/thesp0nge/owasp-orizon OWASP Esapi Ruby project
>> leader, https://github.com/thesp0nge/owasp-esapi-ruby
>> 
>> 
>> _______________________________________________ OWASP-Leaders mailing list 
>> OWASP-Leaders at lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-leaders
> 
> 
> - -- 
> ? Arturo "Buanzo" Busleiman ? - MUSICA: soundcloud.com/no-carrier
> Independent Linux and Security Consultant - 16+y of IT exp. at your service .
> OWASPer - http://www.buanzo.com.ar/pro/eng.html                             ..:
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> 
> iEYEAREKAAYFAk+KyzkACgkQAlpOsGhXcE2EpACfbvFVciMkgISQaAyrmN0yh8O3
> LHsAn3GG2HipxAfBVoKTCUVx+cyPbWtl
> =v7iW
> -----END PGP SIGNATURE-----
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders


More information about the OWASP-Leaders mailing list