[Owasp-leaders] [GPC] Fw: Remote Repositories on SourceForge - TOPIC CLOSED

Christian Heinrich christian.heinrich at owasp.org
Sun Jan 8 08:39:27 UTC 2012


On Fri, Jan 6, 2012 at 2:41 PM, Chris Schmidt <chris.schmidt at owasp.org> wrote:
> I'm sorry, but you are completely wrong here. We solicited several vendors -
> including GitHub with ample time for the vendors to respond with an intent
> to submit a proposal. I personally solicited several vendors using whatever
> contact information I could gather to notify them of the RFP as well as
> submitting my own competitive proposal to execute on the initiative myself.
> If you are going to make accusations, you should at the very least get some
> of the facts right. Sourceforge was absolutely *not* preselected as you
> state. As a matter of fact, our initial vendor of choice was Google who
> declined the opportunity to submit a proposal then reconsidered 2 days prior
> to the scheduled GPC meeting in Dublin where we reviewed the proposals and
> voted. We extended our decision to the last day in an effort to give Google
> a chance to submit there proposal for consideration - well past the closing
> of the RFP, so if anyone received preferential treatment in the process, it
> was them. Also, let's be honest here; if we were showing favoritism why
> wouldn't we have accepted the proposal from Larry and myself - I don't know
> about you, but I am sure I could have used the extra monthly income.

Until you can show me (private) correspondance otherwise
doesn't list GitHub and furthermore considering their service is
"free" for Open Source Projects do you really expect their sales team
spend their non-billable time to outline how their "free" service
benefits OWASP?

if the candidates that responded are deemed unsuitable within the time
limit then the decision should have been deferred i.e. there would
have not been an issue if you have to wait for Google to respond who
would have been a better choice then SourceForge also.

The hardware selected within your submission from you and Larry is
significantly overpowered than what is required and the fact that you
are Larry are both GPC members and employees of Aspect Security would
suggest a perceived conflict of interest (if unintended).

On Fri, Jan 6, 2012 at 2:41 PM, Chris Schmidt <chris.schmidt at owasp.org> wrote:
> Of the 4 proposals received SourceForge addressed each of the RFP points in
> turn, illustrating how they could offer a solution to the requirement -
> whereas others either sent us proposals that didn't address our needs at all
> or were simply not well thought out.

If the CFP is executed without a perceived conflict of interest then
you would have attempted to seek this (missing) information from the
other candidates to have at least two equal candidates to make a
decision from?

On Fri, Jan 6, 2012 at 2:41 PM, Chris Schmidt <chris.schmidt at owasp.org> wrote:
> Sure, you are absolutely correct - SourceForge has been breached. One of the
> impressive aspects of that was the way that SourceForge handled those
> breaches. They were open and transparent about the attack and their
> investigation. They resolved the issues which resulted in the breach
> promptly with ample notification to their clients. While speaking with them
> on the phone regarding the most recent breach as a result of a CVS
> configuration error - they were 100% open and forthcoming. They also
> recognized an opportunity to form a partnership with OWASP to help increase
> their security posture. They have expressed a great deal of interest in
> implementing OWASP projects into their own offerings.

Sorry, but this is standard marketing exploitation of a security
project by their (SourceForge's) sales team i.e. "[SourceForge's] code
is secure otherwise OWASP would haven't selected us to host their

Furthermore, OWASP giving them money for this exploitation.

On Fri, Jan 6, 2012 at 2:41 PM, Chris Schmidt <chris.schmidt at owasp.org> wrote:
> I doubt that you have indeed read all the reference material regarding our
> decision and selection process. If you had, even you would not be able to
> conjure some of the wild accusations you have made regarding this
> initiative. Ideally, all OWASP projects should use the same process, same
> hosting for source, and same set of guidelines for releases but we had to
> make accommodations and negotiations to try and keep our existing project
> leaders happy. We understand that moving repositories, issue trackers, and
> other project related information is just not doable for some people -
> however, contrary to what some have insinuated, the enforcement of policy
> and hosting absolutely *does not* hurt creativity or volunteerism - and by
> no means does it reduce likelihood of new projects coming under the OWASP
> umbrella.

How many OWASP Projects are hosted on SourceForge compared to other
repositories? It would be a very, very small number considering the
only one that I am aware of is

It is also noted that the GPC didn't approach other Project Leaders
(outside of the GPC) to (informally) endorse the GPC decision.

On Fri, Jan 6, 2012 at 2:41 PM, Chris Schmidt <chris.schmidt at owasp.org> wrote:
> Allow me to cite a few examples.
> 1) Apache Software Foundation - The Apache Software Foundation is arguably
> one of the most successful open source organizations of all time. The
> foundation has a tough onboarding process for new projects to become part of
> ASF proper, however the entry point for podling and incubator projects is
> much lower. Additionally, projects branded under the Apache umbrella must be
> hosted at Apache's hosting, using Apache branded tools for development and
> documentation and share a common template for front material.


On Fri, Jan 6, 2012 at 2:41 PM, Chris Schmidt <chris.schmidt at owasp.org> wrote:
> 2) Applie - Though not open source, the Apple Store model has proven itself
> time and again as a viable model for quality control and reliability. Though
> they have executed very poorly on the model at times - the 2 cornerstones of
> the Apple Store (Quality and Reliability) are paramount in this industry. We
> ask people to use our libraries to secure their code - use our tools to test
> their applications - use our documents as foundations for application
> security initiatives.  Without stringent quality control processes and a
> high degree of reliability among those things there is nothing to separate
> OWASP from anyone else aside from our name - and all it takes is one bad
> seed to ruin that.

Apple didn't select SourceForge to host http://www.macosforge.org/

On Fri, Jan 6, 2012 at 2:41 PM, Chris Schmidt <chris.schmidt at owasp.org> wrote:
> Would you really have the audacity to claim that *either* of the above
> examples have slowed down innovation for their developers - or that the
> user's have suffered as a direct result of the controls that they have put
> in place and enforced?

Developer's complain about the App Store's selection criteria all the
time and at least they share a common response with OWASP i.e.
http://www.youtube.com/watch?v=ynTtuwQYNmk :)

On Fri, Jan 6, 2012 at 2:41 PM, Chris Schmidt <chris.schmidt at owasp.org> wrote:
> As has been pointed out - time and time and time again Christian; there was
> a long period of time between when we as the GPC voted and made our decision
> and when we signed a contract with SourceForge. Our decision was made public
> and up for debate and conversation for months without so much as a squeak or
> peep from anyone. As soon as the decision became final is when people
> started throwing around feedback contrary to our decision. The big
> difference is that even though Mark may not see eye to eye with us, or agree
> 100% with our decision - he was willing to hop on a conference call (he even
> hosted it) to discuss in further detail and understand our decision. In the
> end, he doesn't agree that we made the right decision, and quite frankly
> that is his prerogative; however he has accepted it for what it is.

The reason for this is that no OWASP Project Leader expected you to
select SourceForge without at least some notice or their own input
into the poor decision.

On Fri, Jan 6, 2012 at 2:41 PM, Chris Schmidt <chris.schmidt at owasp.org> wrote:
> On top of that, it has now been more months (as Michael already pointed out)
> since the decision was made and acted upon. I am not sure what you are
> hoping to accomplish by pursuing this email thread any further other than to
> conclude that you feel the need to stir the proverbial shit-pot so you can
> try to prove some point to someone that has nothing to do with what this
> thread or initiative are about.

Yet I install and manage a number of private repositories based on
git, svn, Serna's PVS, Microsoft's TFS, etc.

On Fri, Jan 6, 2012 at 2:41 PM, Chris Schmidt <chris.schmidt at owasp.org> wrote:
> The correct course of action is to follow process and when this contract is
> up for negotiation near the end of the year express your opinions in the
> appropriate manner. If GitHub had submitted a proposal even half as thought
> out as the one we received from SourceForge it may well have been them that
> we signed a contract with. The fact of the matter is that a mere matter of
> months after receiving our RFP and declining the opportunity to submit a
> proposal - they came out with a service whose product offering read like a
> direct response to our RFP in several cases. Yet still, they have not
> approached us with any interest in doing business with us. I'm sorry, but I
> would rather work with someone who maybe lacks a little of the social
> glitter but more than makes up for it in personality. Project leaders are
> still more than welcome to host there projects wherever they choose, so if
> you are that obsessed with GitHub - by all means, put everything and the
> kitchen sink on their service. I too have some project material hosted at
> GitHub and it is likely that the ESAPI source will ultimately end up there
> with a connector plugin written for the ESAPI SourceForge site.

There is nothing stopping the GPC from creating an organizational
account on GitHub at this moment?

On Fri, Jan 6, 2012 at 2:41 PM, Chris Schmidt <chris.schmidt at owasp.org> wrote:
> I would ask - once again, that this issue be put to rest. We have no
> intention of backing out of a contract with a vendor that is practically
> bending over backwards for us just because a few people are upset about the
> decision that they took no part in when they had the opportunity to do so. I
> respect Mark, Dennis and Simon's positions on the matter but your emails
> read like trolls intended to elicit exactly the kind of responses that you
> have gotten so you could bait people into arguments.

Claiming that I am trolling is simply attempt to confuse the issue
that the GPC made a bad decision.

On Fri, Jan 6, 2012 at 2:41 PM, Chris Schmidt <chris.schmidt at owasp.org> wrote:
> In closing, I would ask that if this thread and the accusations made
> continue that Christian's membership be taken into consideration by the BoD
> under Article 4.0.3 of the OWASP Bylaws. Although Christian has in the past
> made valuable contributions to this community the only contribution I have
> seen since his return is to make accusations of other OWASP volunteers or
> speak on behalf of others that never asked him to do so. It would appear
> that he holds some grudge against other OWASP members as a result of the
> outcome of the inquiry into the Google Hacking Project and is apparently
> hellbent on trying to turn people within this organization against eachother
> as a response. He has clearly violated the Code of Ethics on several
> occasions and has on multiple occasions attempted to twist the bylaws to
> address the facts or twist the facts to address the bylaws in an effort to
> discredit other OWASP volunteers. This thread is no exception.

If that was the case then I would have reference this - again
attempting to state that a concern is due to this is misleading and a
poor attempt at mudding the issue at hand.

I suggest that you focus your response on my credentials related to
Distributed Version Control Systems (DVCS)  which the GPC considerably

On Fri, Jan 6, 2012 at 2:41 PM, Chris Schmidt <chris.schmidt at owasp.org> wrote:
> Christian, thank you for your concerns regarding this matter. We have noted
> your displeasure and you are more than welcome to join us at the end of the
> year for further discussion on this topic in the appropriate venue as long
> as you maintain professionalism.

I am under no illusion that the GPC won't be more careful with the
selection process next time in light of the increased burden of moving
already transitioned projects off Sourceforge to the next provider.

Again, DVCS (like GIT) would fulfil the requirements of the GPC (i.e.
a remote pull GIT repository) while allow the Project Leader to
continue with their preferred svn or git repository.

To repeat, there is nothing stopping the GPC from creating an OWASP
organisational account with GitHub and thus ending this dispute. I
will even do this on behalf of the GPC.

Christian Heinrich

More information about the OWASP-Leaders mailing list