[Owasp-leaders] Feedback Documentation Evaluation Proposal

Kevin W. Wall kevin.w.wall at gmail.com
Fri Aug 15 03:11:16 UTC 2014

[Note: Dropped project-task-force mailing list as I am not subscribed to that

On Sun, Aug 10, 2014 at 6:37 PM, johanna curiel curiel
<johanna.curiel at owasp.org> wrote:
> On Sunday, August 10, 2014, Larry Conklin <larry.conklin at owasp.org> wrote:
[big snip]
>> 2.     Document says it will include automated systems. What systems? OWASP, third party applications, etc?
> Grammar checking and plagiarism
>> 3.     Plagiarism checker? Which one and who is paying for it, OWSP and or
>> project. This can get costly. If the code review takes content out of a
>> cheat sheet and puts it into Code Review Guide is this plagiarism?
>> Plagiarism is about ownership of content. I don’t want us to get into an
>> ownership battle. Consider the turn of events, if someone takes content out
>> of Code Review Guide, publishes it in a research paper or blog, and then we
>> update the Code Review Guide and run plagiarism checker how would this
>> situation be resolved? Remember everything OWASP does should be open
>> license, hence free to copy. Free to copy causes plagiarism errors.
> Owasp, will pay pay for this plagiarism checker. Keep in mind that we as
> reviewers use these tools however in the end we still need to check the
> results and confirm this information.

One thing that I hope we can clear up now is will it be okay for one
OWASP document to reference another OWASP document in the cases when
both documents have had their copyrights turned over to the OWASP Foundation.
Given the dynamic nature of wikis, something cited today may disappear
tomorrow and that could lead to even greater confusion. If we do decide
to do this, some policies / guidelines are in order. For instance, citing
the OWASP Dev Guide for something may be one thing, but trying to figure
out which individual wrote the particular paragraph that is being cited
is probably more trouble than it's worth and would likely squash attempts
to cite other OWASP documents. We don't want to arrive with unintended
consequences where we make it difficult to cite our own wiki and our
own documentation projects.

>> 4.     Open source, there are many open source licenses
>> (http://opensource.org/licenses), Apache, GNU, etc. are we saying all
>> projects have to be the same open source license? This is something I would
>> encourage. Just makes life easier.
> So far project leaders decide what kind of license they want to provide.
> Maybe something to think about the future

For documentation, by far the most common license is Creative Commons,
although the attributes certainly vary according to the wishes of
the author(s).  Most of the other open source licenses are intended
for source code rather than documentation.


>> 3.     Hiring experts. Isn’t that us? I understand the intent but this
>> language this can be very offending to the community.
>> IEEE hires experts to review documentation because people won't do it for
>> free. This is my point. The people to review can be from our community but
>> if no one takes the time to review then how are going to do this?

While this is true, both the IEEE and ACM both rely heavily on volunteers
as well. In fact that's the first choice. More than 10 years ago, I
did volunteer work for each of them to review and/or referee some of
their publications / papers (more so for ACM though).

I think a better question might be, if our experts only have N hours
per week to put toward OWASP, is that how we would like them spending
their time. If not, then hiring is probably the better option here.


Blog: http://off-the-wall-security.blogspot.com/
NSA: All your crypto bit are belong to us.

More information about the OWASP-Leaders mailing list