[Owasp-leaders] [GPC] Fw: Remote Repositories on SourceForge - TOPIC CLOSED

dinis cruz dinis.cruz at owasp.org
Fri Jan 6 09:37:20 UTC 2012

Chris is spot on, and is last point on Christian membership should be acted

We only get negative energy from Christian and he has made wild+offensive
accusations to a large number of core Owasp contributors.

Although some of the issues have some merit, the way Christian raises them
always end up in defamation and energy sucking exercises (and actually have
the side effect to preventing a rational discussion about those issues)

I ask the Board to take a position on this issue

Dinis Cruz

On 6 Jan 2012, at 03:42 AM, Chris Schmidt <chris.schmidt at owasp.org> wrote:

 First of all, just to be perfectly clear, this reply *is not* on behalf of
the GPC. Though I am a member, everything I say is from me and me alone.
When you quote something I said in this post in some future attempt to
discredit or defame me, make sure you quote it accurately please. As a
point of fact, I was advised by multiple parties to walk away from this
without response - but most of the people on this list who know me, know
that there was a slim chance of that happening.

Now, onto the topic(s) at hand.

> The tender is anti-competitive, closed and the chosen winner, of which
> there were four niche or unpopular candidates which is not "many" as
> you have inferred above, was preselected.

I'm sorry, but you are completely wrong here. We solicited several vendors
- including GitHub with ample time for the vendors to respond with an
intent to submit a proposal. I personally solicited several vendors using
whatever contact information I could gather to notify them of the RFP as
well as submitting my own competitive proposal to execute on the initiative
myself. If you are going to make accusations, you should at the very least
get some of the facts right. Sourceforge was absolutely *not* preselected
as you state. As a matter of fact, our initial vendor of choice was Google
who declined the opportunity to submit a proposal then reconsidered 2 days
prior to the scheduled GPC meeting in Dublin where we reviewed the
proposals and voted. We extended our decision to the last day in an effort
to give Google a chance to submit there proposal for consideration - well
past the closing of the RFP, so if anyone received preferential treatment
in the process, it was them. Also, let's be honest here; if we were showing
favoritism why wouldn't we have accepted the proposal from Larry and myself
- I don't know about you, but I am sure I could have used the extra monthly

Of the 4 proposals received SourceForge addressed each of the RFP points in
turn, illustrating how they could offer a solution to the requirement -
whereas others either sent us proposals that didn't address our needs at
all or were simply not well thought out.

> Furthermore, I would like to know if
> https://www.owasp.org/index.php/OWASP_Secure_Software_Contract_Annex
> was enforced during procurement (it is not referenced in the tender)
> as SourceForge has an extensive history of webappsec vulnerabilities
> which could impact the "brand" of ESAPI?

Sure, you are absolutely correct - SourceForge has been breached. One of
the impressive aspects of that was the way that SourceForge handled those
breaches. They were open and transparent about the attack and their
investigation. They resolved the issues which resulted in the breach
promptly with ample notification to their clients. While speaking with them
on the phone regarding the most recent breach as a result of a CVS
configuration error - they were 100% open and forthcoming. They also
recognized an opportunity to form a partnership with OWASP to help increase
their security posture. They have expressed a great deal of interest in
implementing OWASP projects into their own offerings.

> I have read all the reference material on the tender and the
> associated background information (including the GPC Board Annual
> Reports
> where it states "Investigate the usage of a centralized OWASP project
> repository for *all* OWASP projects,") and Jason clearly acknowledges
> within https://www.owasp.org/download/jmanico/owasp_podcast_88.mp3
> that the GPC has been accused of extensive favoritism in the past.

I doubt that you have indeed read all the reference material regarding our
decision and selection process. If you had, even you would not be able to
conjure some of the wild accusations you have made regarding this
initiative. Ideally, all OWASP projects should use the same process, same
hosting for source, and same set of guidelines for releases but we had to
make accommodations and negotiations to try and keep our existing project
leaders happy. We understand that moving repositories, issue trackers, and
other project related information is just not doable for some people -
however, contrary to what some have insinuated, the enforcement of policy
and hosting absolutely *does not* hurt creativity or volunteerism - and by
no means does it reduce likelihood of new projects coming under the OWASP

Allow me to cite a few examples.

1) Apache Software Foundation - The Apache Software Foundation is arguably
one of the most successful open source organizations of all time. The
foundation has a tough onboarding process for new projects to become part
of ASF proper, however the entry point for podling and incubator projects
is much lower. Additionally, projects branded under the Apache umbrella
must be hosted at Apache's hosting, using Apache branded tools for
development and documentation and share a common template for front

2) Applie - Though not open source, the Apple Store model has proven itself
time and again as a viable model for quality control and reliability.
Though they have executed very poorly on the model at times - the 2
cornerstones of the Apple Store (Quality and Reliability) are paramount in
this industry. We ask people to use our libraries to secure their code -
use our tools to test their applications - use our documents as foundations
for application security initiatives.  Without stringent quality control
processes and a high degree of reliability among those things there is
nothing to separate OWASP from anyone else aside from our name - and all it
takes is one bad seed to ruin that.

Would you really have the audacity to claim that *either* of the above
examples have slowed down innovation for their developers - or that the
user's have suffered as a direct result of the controls that they have put
in place and enforced?

> I am bring this to the attention of Project "Leaders" on the "Leaders"
> Mailing List because they collectivity believe that this poor decision
> impacts their contribution to "make things better and further the
> mission".

As has been pointed out - time and time and time again Christian; there was
a long period of time between when we as the GPC voted and made our
decision and when we signed a contract with SourceForge. Our decision was
made public and up for debate and conversation for months without so much
as a squeak or peep from anyone. As soon as the decision became final is
when people started throwing around feedback contrary to our decision. The
big difference is that even though Mark may not see eye to eye with us, or
agree 100% with our decision - he was willing to hop on a conference call
(he even hosted it) to discuss in further detail and understand our
decision. In the end, he doesn't agree that we made the right decision, and
quite frankly that is his prerogative; however he has accepted it for what
it is.

On top of that, it has now been more months (as Michael already pointed
out) since the decision was made and acted upon. I am not sure what you are
hoping to accomplish by pursuing this email thread any further other than
to conclude that you feel the need to stir the proverbial shit-pot so you
can try to prove some point to someone that has nothing to do with what
this thread or initiative are about.

> Dennis and Simon have expressed concerns in this thread as Mark
> Curphey has in the past
> http://www.curphey.com/2011/11/models-for-better-security-communities/
Mark and I have spoken at great length both online and over the phone
regarding his views and mine. We have agreed to disagree on the matter and
Mark has pursued his own path as a result. I do not fault him for this at
all and it has not resulted in any lost respect between us as professionals
or degraded into a libelous mud-flinging as several conversations in the
past have with you. Dennis and Simon are entitled to their opinions as
well, and have expressed them and have (to the best of my knowledge)
accepted compromise in the interest of the organization and projects
initiative as a whole.

> If the issue was settled months ago then why is it still subject to
hearsay and innuendo as expressed by both Simon and Dennis and I? I
understand that this decision has been carried from the prior Board and
that it places you in situation that is not your doing. The correct course
of action is to admit that a mistake has been made and how we can
transition from the poor selection of SourceForge to GitHub (even if that
involves burning the investment) or OWASP will continue to lose more
Project Leaders.

The correct course of action is to follow process and when this contract is
up for negotiation near the end of the year express your opinions in the
appropriate manner. If GitHub had submitted a proposal even half as thought
out as the one we received from SourceForge it may well have been them that
we signed a contract with. The fact of the matter is that a mere matter of
months after receiving our RFP and declining the opportunity to submit a
proposal - they came out with a service whose product offering read like a
direct response to our RFP in several cases. Yet still, they have not
approached us with any interest in doing business with us. I'm sorry, but I
would rather work with someone who maybe lacks a little of the social
glitter but more than makes up for it in personality. Project leaders are
still more than welcome to host there projects wherever they choose, so if
you are that obsessed with GitHub - by all means, put everything and the
kitchen sink on their service. I too have some project material hosted at
GitHub and it is likely that the ESAPI source will ultimately end up there
with a connector plugin written for the ESAPI SourceForge site.

I would ask - once again, that this issue be put to rest. We have no
intention of backing out of a contract with a vendor that is practically
bending over backwards for us just because a few people are upset about the
decision that they took no part in when they had the opportunity to do so.
I respect Mark, Dennis and Simon's positions on the matter but your emails
read like trolls intended to elicit exactly the kind of responses that you
have gotten so you could bait people into arguments.

In closing, I would ask that if this thread and the accusations made
continue that Christian's membership be taken into consideration by the BoD
under Article 4.0.3 of the OWASP Bylaws. Although Christian has in the past
made valuable contributions to this community the only contribution I have
seen since his return is to make accusations of other OWASP volunteers or
speak on behalf of others that never asked him to do so. It would appear
that he holds some grudge against other OWASP members as a result of the
outcome of the inquiry into the Google Hacking Project and is apparently
hellbent on trying to turn people within this organization against
eachother as a response. He has clearly violated the Code of Ethics on
several occasions and has on multiple occasions attempted to twist the
bylaws to address the facts or twist the facts to address the bylaws in an
effort to discredit other OWASP volunteers. This thread is no exception.

Christian, thank you for your concerns regarding this matter. We have noted
your displeasure and you are more than welcome to join us at the end of the
year for further discussion on this topic in the appropriate venue as long
as you maintain professionalism.

OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20120106/0b09b7f8/attachment-0001.html>

More information about the OWASP-Leaders mailing list