[Owasp-leaders] Proposing new guidelines to start code/tool projects

johanna curiel curiel johanna.curiel at owasp.org
Sat Aug 23 18:18:59 UTC 2014


Hi Tobias

Thank you for your feedback, and here my clarifications

>- I assume that does not mandate a specific brand of repository. Because I
think it is important to allow projects to keep the freedom to choose their
repository (at the very least between several ones).
We can monitor any repository . leaders are free to choose anyone as long
as it's open(meaning read/public access)

2. Question:
to section 2 "General rules for all projects:"
2.1. And as you write in the second line "commit of wiki update", I am not
quite sure about what you mean in the first line with a "project update"?
(I thought a "commit or wiki update" would be a project update? *scratch*)
Yes I mean indeed a commit (repository) or a wiki update (It was a typo ;-P)

2.2. Why did you use one time 90 days and the other time 80 days? Could we
please use the same number of days for both?
Another typo, I mean 180 days

2.3. Maybe I am not getting something and Condition 1 and condition 2 are
intended sequential? (my first read was parallel...)
Indeed, the first reminder will be send within 90 days if we have seen no
activity(wiki or commit) and after 180 days a warning

Hope this has clarified the confusion caused by my typo's :)

regards

Johanna


On Sat, Aug 23, 2014 at 1:11 PM, Tobias <tobias.gondrom at owasp.org> wrote:

>  Johanna,
>
> overall support this structure.
>
> With one question and one clarification:
> 1. Clarification:
> to your point "They need to have a repository even if empty, because this
> will allow us to automate the monitoring of their progress" - I assume that
> does not mandate a specific brand of repository. Because I think it is
> important to allow projects to keep the freedom to choose their repository
> (at the very least between several ones).
>
> 2. Question:
> to section 2 "General rules for all projects:"
> 2.1. And as you write in the second line "commit of wiki update", I am not
> quite sure about what you mean in the first line with a "project update"?
> (I thought a "commit or wiki update" would be a project update? *scratch*)
> 2.2. Why did you use one time 90 days and the other time 80 days? Could we
> please use the same number of days for both?
> 2.3. Maybe I am not getting something and Condition 1 and condition 2 are
> intended sequential? (my first read was parallel...)
>
> Best wishes, Tobias
>
>
>
>
>
> On 23/08/14 17:46, johanna curiel curiel wrote:
>
> Leaders,
>
>  After hearing your concerns and some ideas from Kait-Disney and the
> project task force members, I'm proposing the following , which hopefully
> will help us reach better guidelines and less empty projects
>
>  We will allow Incubator projects a 1 year deadline BUT with the
> following conditions:
>
>    - They will need a clear deadline proposal roadmap for the next 90 days
>     - We will provide an example on the wiki template of what we expect
>    to see
>     - We will provide a 'Start up kit' cheat sheet with all the
>    goodies(how to get money for project, participate in Google Summer of code
>    program, Winter of Code program, Wiki template, Project summit
>    presentations,Github repository etc)
>    - If they do not present a clear roadmap with deadlines, the project
>    will not be accepted
>     - They need to have a repository even if empty, because this will
>    allow us to automate the monitoring of their progress
>     - The wiki page must be COMPLETE. No empty descriptions or half info
>    there. This will be not accepted.
>
>
>  We will create a webbot to track all wiki project pages based on the
> latest updates and based on that we will create reminders every 90 days
> about the activity to ALL project leaders (not just incubators).
>
>  General rules for all projects:
>
>    - Project leaders will receive 1 reminder if the project hasn't been
>    updated at all in 90 days.
>     - Project leaders will receive 1 warnings  if no commit or wiki
>    update has been done in 80 days or if they dont feedback with us about the
>    situation of their project
>     - The third one will be final and the project will be set in the
>    inactive list
>    - Remember you can always revive the project but you will need a
>    roadmap in order to do this.
>
>
>  regards
>
>  Johanna
>
>
>
> On Thu, Aug 21, 2014 at 11:09 PM, johanna curiel curiel <
> johanna.curiel at owasp.org> wrote:
>
>> Jim and leaders,
>>
>>  The idea of the whiteboard is that no one needs to maintain this ;-).
>> Is just a whiteboard with idea-projects hanging there in order for people
>> to join and find contributors to pull off their project. What I'm trying to
>> do is be realistic about the maintenance of project inventory and how OWASP
>> looks to the outsiders. Empty projects looks really bad. Dont expect
>> potential users to go read your roadmap and comeback when you say you are
>> ready.
>>
>>  On the other hand, the 90 day issue is, that sometimes an idea takes
>> time to develop, find contributors and the opportunity to work on
>> it.Therefore future project leaders should made use of programs such as
>> Google Summer of Code. Some of the best ideas I have seen have flourished
>> during this program. If you want this into production, project leaders can
>> place their ideas in the Gsoc idea page (
>> https://www.owasp.org/index.php/GSoC2014_Ideas) jump the wagon to get
>> students, apply to develop the 'idea'. OWTF, ZAP, PHPSEC, WEBGOATPHP have
>> made enormous progress during this program, and when we did the call, only
>> 12 projects applied!! So where are the active project leaders even when
>> they had a chance like this to get a student paid for 3 months to work on
>> their projects including 500 dollars for their project per student ?
>>
>>  >In the past, many project got approved that probably should not have
>> been, but I'm trying to ensure that fully formed project ideas are the ones
>> that make it through.
>>  I believe this will definitely help put a minimum entry level.
>>
>>  I  would like to find a middle ground to have a realistic review
>> process based on our capacity to review projects,allow ideas to develop but
>> also, have better quality for potential users of OWASP projects.I repeat ,
>> empty project pages might have been the norm but this really looks bad.
>>
>>  regards
>>
>>  Johanna
>>
>>
>>  On Thu, Aug 21, 2014 at 10:34 PM, johanna curiel curiel <
>> johanna.curiel at owasp.org> wrote:
>>
>>> Hi Kait (Gregory)
>>>
>>>  I agree with  you on this and I think that the problem has been this : * when
>>> they submit their project they have an outline of the project and a roadmap*
>>>
>>>  If you take a look of those empty projects , their outline is way to
>>> vague, not even a clear description of what the project is about is and
>>> there is not a clear plan for the roadmap. So we really need to review
>>> more careful when allowing an incubators begin. Ideally we should provide a
>>> clear example. The 90 days deadline sounds very good to me.
>>>
>>>  The idea of a 90 day puts pressure into it. After 90 days no code,
>>> then inactive.
>>>
>>>  regards
>>>
>>>  Johanna
>>>
>>>
>>>  On Thu, Aug 21, 2014 at 10:20 PM, Gregory Disney <
>>> gregory.disney at owasp.org> wrote:
>>>
>>>> Repost from Kait, because she keeps getting kicked off the leaders
>>>> list.
>>>>
>>>> ==========================================================================================
>>>> I brought this up with Johanna earlier today in regards to what should
>>>> be done with new projects.
>>>>
>>>>  It's my opinion that requiring new projects to have source code
>>>> written before they can become a project will alienate would be project
>>>> leaders. For many new projects, when they submit their project they have an
>>>> outline of the project and a roadmap. This is especially true for
>>>> documentation projects, which may not have a draft yet at the time they
>>>> apply.
>>>>
>>>>  I propose instead that we continue to approve projects that have a
>>>> flesh out project outline and require that they have progress on the
>>>> project within 90 days. After 90 days, these new projects should be
>>>> reviewed for progress. This doesn't have to be an in-depth review, more of
>>>> a check in with the project leader to see if their repository is posted, if
>>>> they have source code, or a draft in cases of documentation projects.
>>>> If after 90 days, there has been no progress on the project, those
>>>> project should be considered inactive.
>>>>
>>>>  By making progress a requirement in the first 90 days, we can avoid
>>>> the problem we have now, which is that several projects that enjoy active
>>>> project status while having never produced anything for the project.
>>>>
>>>>  Please let me know what you think.
>>>>
>>>>
>>>>  On Thu, Aug 21, 2014 at 7:14 PM, Jonathan Marcil <
>>>> jonathan.marcil at owasp.org> wrote:
>>>>
>>>>>  Oh I see, if you want to add another step in the new project adoption
>>>>> life cycle.. well go ahead!
>>>>>
>>>>> Also, if there's no time limit, you'll kill that special motivation of
>>>>> a
>>>>> urge to deliver something. For some people it may actually help
>>>>> motivate
>>>>> them to release. Others will release anyways. Pressure can be good. It
>>>>> can be another period than one year.. maybe 6 months I don't know.
>>>>>
>>>>> All that said, I hope you don't plan to move everything to whiteboard
>>>>> by
>>>>> default.. As a project starter, I kind of accepted the rule of "one
>>>>> year
>>>>> or the project is out of incubator" and would not like the rules to
>>>>> change in the middle or having to adhere to another process I won't
>>>>> need
>>>>> in 2 months. Good news about that is that if you apply the one year
>>>>> timeout of the initial agreement, you'll be free of "dead" incubator
>>>>> projects within one year anyways.
>>>>>
>>>>> Thanks!
>>>>>
>>>>> - Jonathan
>>>>>
>>>>>
>>>>> On 2014-08-21 21:52, johanna curiel curiel wrote:
>>>>> > Jonathan and leaders
>>>>> >
>>>>> > I would love to allow idea-projects hang for a year but what I have
>>>>> seen
>>>>> > after reviewing this for almost 2 years, that the project leader
>>>>> looses
>>>>> > pressure to create something in that period and many projects in the
>>>>> end
>>>>> > die like this.
>>>>> >
>>>>> > If we allow idea-projects hang for a year, the amount of work becomes
>>>>> > quite big with all the projects that must be reviewed and managed.
>>>>> This
>>>>> > process has failed twice, with the Global Committee and the technical
>>>>> > advisory board. Setting the bar higher challenges project leaders to
>>>>> > really work on it and not let it hang for a year, in the meanwhile,
>>>>> > people (potential users) of your project, visit the wiki and  get
>>>>> > disappointed to see anything on it.
>>>>> >
>>>>> > The idea of the Whiteboard, can allow future project leaders to set
>>>>> this
>>>>> > as an idea-project and get contributors, but the expectations are
>>>>> > different, especially for potential users. They know that this is
>>>>> just
>>>>> > an idea and the project hasn't developed yet. When you are ready to
>>>>> take
>>>>> > it to the next step, then it becomes a tangible project , and once
>>>>> done
>>>>> > that, then the real work begins to keep the project alive and
>>>>> kicking,
>>>>> > but thats much easier to monitor than communicating through email
>>>>> every
>>>>> > time to see if the project is alive and in the meanwhile the wiki
>>>>> page
>>>>> > is outdated and no code has been produced. It damages OWASP
>>>>> reputation.
>>>>> >
>>>>> > We need to develop and design a 'Startup' like program where we
>>>>> provide
>>>>> > training to potential project leaders how to make that idea a
>>>>> > prototype.Just like with 'Accelerators' . Since we work globally, I
>>>>> > think this should be available online (through courser for example)
>>>>> and
>>>>> > have this programs twice a year for example.
>>>>> >
>>>>> > regards
>>>>> >
>>>>> > Johanna
>>>>> >
>>>>> >
>>>>> >
>>>>> >
>>>>> > On Thu, Aug 21, 2014 at 9:30 PM, Jim Manico <jim.manico at owasp.org
>>>>>  > <mailto:jim.manico at owasp.org>> wrote:
>>>>> >
>>>>> >     > Last but not least, thank you a lot for your efforts Johanna,
>>>>> you are
>>>>> >     keeping the main backbone of OWASP healthy and not anyone has the
>>>>> >     courage and toughness to do so.
>>>>> >
>>>>> >     +1000
>>>>> >
>>>>> >     More positive work and progress around projects bas been done in
>>>>> the
>>>>> >     last few months than several years past. We are very lucky to
>>>>> have
>>>>> >     your "extreme volunteerism", Johanna.
>>>>> >
>>>>> >     PS: +1 On the sandbox idea. Perhaps call it "the whiteboard"
>>>>> instead
>>>>> >     of "sandbox" to denote an "IT centric idea"
>>>>> >
>>>>> >     Aloha,
>>>>> >     --
>>>>> >     Jim Manico
>>>>> >     @Manicode
>>>>>  >     (808) 652-3805 <%28808%29%20652-3805>
>>>>> <tel:%28808%29%20652-3805>
>>>>> >
>>>>> >     > On Aug 21, 2014, at 8:23 PM, Jonathan Marcil
>>>>>  >     <jonathan.marcil at owasp.org <mailto:jonathan.marcil at owasp.org>>
>>>>> wrote:
>>>>> >     >
>>>>> >     > Last but not least, thank you a lot for your efforts Johanna,
>>>>> you are
>>>>> >     > keeping the main backbone of OWASP healthy and not anyone has
>>>>> the
>>>>> >     > courage and toughness to do so.
>>>>> >
>>>>> >
>>>>>    _______________________________________________
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>
>>>>
>>>>
>>>
>>
>
>
> _______________________________________________
> OWASP-Leaders mailing listOWASP-Leaders at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140823/a1951f35/attachment-0001.html>


More information about the OWASP-Leaders mailing list