[Owasp-leaders] [GPC] Fw: Remote Repositories on SourceForge

Christian Heinrich christian.heinrich at owasp.org
Fri Jan 6 02:03:02 UTC 2012


Michael,

On Fri, Jan 6, 2012 at 10:59 AM, Michael Coates
<michael.coates at owasp.org> wrote:
> No one is trying to fool anyone. We've had a thorough process to evaluate options here.  The whole process was open and many options were considered.  I am very familiar with VCS and DVCS and have been involved in tenders for a number of commercial offerings.

The tender is anti-competitive, closed and the chosen winner, of which
there were four niche or unpopular candidates which is not "many" as
you have inferred above, was preselected.

Furthermore, I would like to know if
https://www.owasp.org/index.php/OWASP_Secure_Software_Contract_Annex
was enforced during procurement (it is not referenced in the tender)
as SourceForge has an extensive history of webappsec vulnerabilities
which could impact the "brand" of ESAPI?

Can you share the selection process used for https://github.com/mozilla?

On Fri, Jan 6, 2012 at 10:59 AM, Michael Coates
<michael.coates at owasp.org> wrote:
> Please read past emails (or even listed to Jason's podcast on the topic).  But we're not going to have a conversation about random potential scenarios or people trying to fool each other.

I have read all the reference material on the tender and the
associated background information (including the GPC  Board Annual
Reports https://www.owasp.org/index.php/Global_Projects_Committee_-_Annual_Report_2009
where it states "Investigate the usage of a centralized OWASP project
repository for *all* OWASP projects,") and Jason clearly acknowledges
within https://www.owasp.org/download/jmanico/owasp_podcast_88.mp3
that the GPC has been accused of extensive favoritism in the past.

On Fri, Jan 6, 2012 at 10:59 AM, Michael Coates <michael.coates at owasp.org> wrote
> The volunteers of this organization are working to make things better and further the mission.  If you truly think there is an issue then please bring it to me directly off the leaders list.

I am bring this to the attention of Project "Leaders" on the "Leaders"
Mailing List because they collectivity believe that this poor decision
impacts their contribution to "make things better and further the
mission".

Dennis and Simon have expressed concerns in this thread as Mark
Curphey has in the past
http://www.curphey.com/2011/11/models-for-better-security-communities/

On Fri, Jan 6, 2012 at 10:59 AM, Michael Coates <michael.coates at owasp.org> wrote
> The leaders list is for constructive collaboration and growth.  Again, the leaders list is not a place for a long winded discussion on this issue that was settled months ago.

If the issue was settled months ago then why is it still subject to
hearsay and innuendo as expressed by both Simon and Dennis and I?

I understand that this decision has been carried from the prior Board
and that it places you in situation that is not your doing.

The correct course of action is to admit that a mistake has been made
and how we can transition from the poor selection of SourceForge to
GitHub (even if that involves burning the investment) or OWASP will
continue to lose more Project Leaders.


-- 
Regards,
Christian Heinrich
http://www.owasp.org/index.php/user:cmlh


More information about the OWASP-Leaders mailing list