[Owasp-leaders] [GPC] Fw: Remote Repositories on SourceForge - TOPIC CLOSED

Chris Schmidt chris.schmidt at owasp.org
Fri Jan 6 03:41:25 UTC 2012

First of all, just to be perfectly clear, this reply *is not* on behalf
of the GPC. Though I am a member, everything I say is from me and me
alone. When you quote something I said in this post in some future
attempt to discredit or defame me, make sure you quote it accurately
please. As a point of fact, I was advised by multiple parties to walk
away from this without response - but most of the people on this list
who know me, know that there was a slim chance of that happening.

Now, onto the topic(s) at hand.

> The tender is anti-competitive, closed and the chosen winner, of which
> there were four niche or unpopular candidates which is not "many" as
> you have inferred above, was preselected.

I'm sorry, but you are completely wrong here. We solicited several
vendors - including GitHub with ample time for the vendors to respond
with an intent to submit a proposal. I personally solicited several
vendors using whatever contact information I could gather to notify them
of the RFP as well as submitting my own competitive proposal to execute
on the initiative myself. If you are going to make accusations, you
should at the very least get some of the facts right. Sourceforge was
absolutely *not* preselected as you state. As a matter of fact, our
initial vendor of choice was Google who declined the opportunity to
submit a proposal then reconsidered 2 days prior to the scheduled GPC
meeting in Dublin where we reviewed the proposals and voted. We extended
our decision to the last day in an effort to give Google a chance to
submit there proposal for consideration - well past the closing of the
RFP, so if anyone received preferential treatment in the process, it was
them. Also, let's be honest here; if we were showing favoritism why
wouldn't we have accepted the proposal from Larry and myself - I don't
know about you, but I am sure I could have used the extra monthly income.

Of the 4 proposals received SourceForge addressed each of the RFP points
in turn, illustrating how they could offer a solution to the requirement
- whereas others either sent us proposals that didn't address our needs
at all or were simply not well thought out.

> Furthermore, I would like to know if
> https://www.owasp.org/index.php/OWASP_Secure_Software_Contract_Annex
> was enforced during procurement (it is not referenced in the tender)
> as SourceForge has an extensive history of webappsec vulnerabilities
> which could impact the "brand" of ESAPI?

Sure, you are absolutely correct - SourceForge has been breached. One of
the impressive aspects of that was the way that SourceForge handled
those breaches. They were open and transparent about the attack and
their investigation. They resolved the issues which resulted in the
breach promptly with ample notification to their clients. While speaking
with them on the phone regarding the most recent breach as a result of a
CVS configuration error - they were 100% open and forthcoming. They also
recognized an opportunity to form a partnership with OWASP to help
increase their security posture. They have expressed a great deal of
interest in implementing OWASP projects into their own offerings.

> I have read all the reference material on the tender and the
> associated background information (including the GPC Board Annual
> Reports
> where it states "Investigate the usage of a centralized OWASP project
> repository for *all* OWASP projects,") and Jason clearly acknowledges
> within https://www.owasp.org/download/jmanico/owasp_podcast_88.mp3
> that the GPC has been accused of extensive favoritism in the past.

I doubt that you have indeed read all the reference material regarding
our decision and selection process. If you had, even you would not be
able to conjure some of the wild accusations you have made regarding
this initiative. Ideally, all OWASP projects should use the same
process, same hosting for source, and same set of guidelines for
releases but we had to make accommodations and negotiations to try and
keep our existing project leaders happy. We understand that moving
repositories, issue trackers, and other project related information is
just not doable for some people - however, contrary to what some have
insinuated, the enforcement of policy and hosting absolutely *does not*
hurt creativity or volunteerism - and by no means does it reduce
likelihood of new projects coming under the OWASP umbrella.

Allow me to cite a few examples.

1) Apache Software Foundation - The Apache Software Foundation is
arguably one of the most successful open source organizations of all
time. The foundation has a tough onboarding process for new projects to
become part of ASF proper, however the entry point for podling and
incubator projects is much lower. Additionally, projects branded under
the Apache umbrella must be hosted at Apache's hosting, using Apache
branded tools for development and documentation and share a common
template for front material.

2) Applie - Though not open source, the Apple Store model has proven
itself time and again as a viable model for quality control and
reliability. Though they have executed very poorly on the model at times
- the 2 cornerstones of the Apple Store (Quality and Reliability) are
paramount in this industry. We ask people to use our libraries to secure
their code - use our tools to test their applications - use our
documents as foundations for application security initiatives.  Without
stringent quality control processes and a high degree of reliability
among those things there is nothing to separate OWASP from anyone else
aside from our name - and all it takes is one bad seed to ruin that.

Would you really have the audacity to claim that *either* of the above
examples have slowed down innovation for their developers - or that the
user's have suffered as a direct result of the controls that they have
put in place and enforced?

> I am bring this to the attention of Project "Leaders" on the "Leaders"
> Mailing List because they collectivity believe that this poor decision
> impacts their contribution to "make things better and further the
> mission".

As has been pointed out - time and time and time again Christian; there
was a long period of time between when we as the GPC voted and made our
decision and when we signed a contract with SourceForge. Our decision
was made public and up for debate and conversation for months without so
much as a squeak or peep from anyone. As soon as the decision became
final is when people started throwing around feedback contrary to our
decision. The big difference is that even though Mark may not see eye to
eye with us, or agree 100% with our decision - he was willing to hop on
a conference call (he even hosted it) to discuss in further detail and
understand our decision. In the end, he doesn't agree that we made the
right decision, and quite frankly that is his prerogative; however he
has accepted it for what it is.

On top of that, it has now been more months (as Michael already pointed
out) since the decision was made and acted upon. I am not sure what you
are hoping to accomplish by pursuing this email thread any further other
than to conclude that you feel the need to stir the proverbial shit-pot
so you can try to prove some point to someone that has nothing to do
with what this thread or initiative are about.

> Dennis and Simon have expressed concerns in this thread as Mark
> Curphey has in the past
> http://www.curphey.com/2011/11/models-for-better-security-communities/
Mark and I have spoken at great length both online and over the phone
regarding his views and mine. We have agreed to disagree on the matter
and Mark has pursued his own path as a result. I do not fault him for
this at all and it has not resulted in any lost respect between us as
professionals or degraded into a libelous mud-flinging as several
conversations in the past have with you. Dennis and Simon are entitled
to their opinions as well, and have expressed them and have (to the best
of my knowledge) accepted compromise in the interest of the organization
and projects initiative as a whole.

> If the issue was settled months ago then why is it still subject to
hearsay and innuendo as expressed by both Simon and Dennis and I? I
understand that this decision has been carried from the prior Board and
that it places you in situation that is not your doing. The correct
course of action is to admit that a mistake has been made and how we can
transition from the poor selection of SourceForge to GitHub (even if
that involves burning the investment) or OWASP will continue to lose
more Project Leaders.

The correct course of action is to follow process and when this contract
is up for negotiation near the end of the year express your opinions in
the appropriate manner. If GitHub had submitted a proposal even half as
thought out as the one we received from SourceForge it may well have
been them that we signed a contract with. The fact of the matter is that
a mere matter of months after receiving our RFP and declining the
opportunity to submit a proposal - they came out with a service whose
product offering read like a direct response to our RFP in several
cases. Yet still, they have not approached us with any interest in doing
business with us. I'm sorry, but I would rather work with someone who
maybe lacks a little of the social glitter but more than makes up for it
in personality. Project leaders are still more than welcome to host
there projects wherever they choose, so if you are that obsessed with
GitHub - by all means, put everything and the kitchen sink on their
service. I too have some project material hosted at GitHub and it is
likely that the ESAPI source will ultimately end up there with a
connector plugin written for the ESAPI SourceForge site.

I would ask - once again, that this issue be put to rest. We have no
intention of backing out of a contract with a vendor that is practically
bending over backwards for us just because a few people are upset about
the decision that they took no part in when they had the opportunity to
do so. I respect Mark, Dennis and Simon's positions on the matter but
your emails read like trolls intended to elicit exactly the kind of
responses that you have gotten so you could bait people into arguments.

In closing, I would ask that if this thread and the accusations made
continue that Christian's membership be taken into consideration by the
BoD under Article 4.0.3 of the OWASP Bylaws. Although Christian has in
the past made valuable contributions to this community the only
contribution I have seen since his return is to make accusations of
other OWASP volunteers or speak on behalf of others that never asked him
to do so. It would appear that he holds some grudge against other OWASP
members as a result of the outcome of the inquiry into the Google
Hacking Project and is apparently hellbent on trying to turn people
within this organization against eachother as a response. He has clearly
violated the Code of Ethics on several occasions and has on multiple
occasions attempted to twist the bylaws to address the facts or twist
the facts to address the bylaws in an effort to discredit other OWASP
volunteers. This thread is no exception.

Christian, thank you for your concerns regarding this matter. We have
noted your displeasure and you are more than welcome to join us at the
end of the year for further discussion on this topic in the appropriate
venue as long as you maintain professionalism.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20120105/abd5e154/attachment-0001.html>

More information about the OWASP-Leaders mailing list