[Owasp-leaders] Regular OWASP polls

Torsten Gigler torsten.gigler at owasp.org
Wed Jan 8 16:25:34 UTC 2014


Hi Simon,

thank you for your idea and your realizing a fast possibility to get a poll
within OWASP.

What do you think about not storing the email-address, but a salted hash
(and not publishing the salt).
You could still see if anyone votes twice without making the votes public.

@ Simon:
> I'm fine with the voting details (and therefore email addresses) being
publicly visible - is everyone else?
@ Dinis:
> Having the list of who voted on what is key to have transparency (and
detect issues like the one I alerted Simon to (the double vote))

Sorry, but I don't see the public presentation of individual votes as an
openness. I do think that the individual votes should stay secret due to
privacy protection.
For me this openness makes only sense for public representatives, like the
board members.

Kind regards

Cheers
Torsten


2014/1/8 Dinis Cruz <dinis.cruz at owasp.org>

> Voters should stand by their vote, and if they can be influenced by other
> data (like other votes) then that is a different problem. Also sometimes
> the end date of a vote might not be very well defined.
>
> Having the list of who voted on what is key to have transparency (and
> detect issues like the one I alerted Simon to (the double vote))
>
> I think we need a solution for non @owasp.org emails, so let's see if we
> can figure that out (the key is to be able to map an vote with an
> recognised owasp identity/person)
> On 8 Jan 2014 15:23, "Konstantinos Papapanagiotou" <Konstantinos at owasp.org>
> wrote:
>
>> Hiding the results of the poll until it closes also prevents biased
>> votes. It's not a matter of openness in my opinion.
>>
>> Kostas
>>
>>
>> On Wed, Jan 8, 2014 at 5:13 PM, Tobias <tobias.gondrom at owasp.org> wrote:
>>
>>>  Dear Simon,
>>>
>>> thank you so much for organising this and setting this up.
>>> This is great and I will be looking forward to using this community poll
>>> more in the future!
>>>
>>> And I totally agree with your replies to requests from non-owasp email
>>> holders.
>>> Nothing is perfect and the tool is as it is and naturally has some
>>> technical limitations. In case of public requests, it is fully sufficient
>>> to make available simple summary results after the survey is closed. We
>>> don't need to make huge investments just to publish partial real-time
>>> preliminary update results for the public. In most normal cases, surveys
>>> don't even have preliminary status updates at all.
>>>
>>> All the best, Tobias
>>>
>>>
>>> Ps.: on a technical term, one might also question the requesters
>>> argument that an internal member poll for a decision would qualify as
>>> "OWASP materials". However, personally I just love openness and
>>> transparency and would encourage and embrace if we could post the end
>>> summary results of our community surveys somewhere on our website after
>>> they are finished. (Without publishing details how each single named
>>> individual voted in the poll.)
>>>
>>>
>>>
>>>
>>> On 08/01/14 14:40, psiinon wrote:
>>>
>>>    And another problem...
>>>
>>>  I've been receiving _lots_ of requests to access the form from non
>>> OWASP accounts.
>>>  I have replied to all of them with a canned response of:
>>> I'm afraid this poll is currently only available to people with OWASP
>>> email accounts to ensure that only OWASP members / contributors take part.
>>>
>>> To get an OWASP email address follow the link on
>>> https://www.owasp.org/index.php/Owasp.org_email_address
>>>
>>> Cheers,
>>>
>>> Simon
>>>
>>>  However I've just received a reply of:
>>> Dear Simon,
>>>
>>> the main page of the owasp website states "all of our materials are
>>> available under a free and open software license". Thus I again ask for
>>> these materials.
>>>
>>>  Best regards,
>>> a long-time owasp follower
>>>
>>>  PS: Thanks, I don't need these information, but I am just surprised
>>> that being an all open and free project, you deny access to these
>>> informtion? Isn't that ignoring the foundaries of the project?
>>>
>>>  For now I'm going to stick with the statement I put on
>>> https://www.owasp.org/index.php/Polls:
>>> Note that only OWASP members can see the 'live' results. A summary of
>>> the results will be made public when the poll closes, but the full details
>>> will stay restricted to OWASP members to prevent email harvesting.
>>>
>>>  However I want to let anyone else have a say on this rather than it
>>> being just my decision.
>>>
>>>  Simon
>>>
>>>
>>> On Wed, Jan 8, 2014 at 2:34 PM, psiinon <psiinon at gmail.com> wrote:
>>>
>>>>    OK, it looks like Google Forms arent _quite_ as good as they
>>>> initially seem :(
>>>>
>>>>  For a start, there is no easy way to prevent anyone from voting
>>>> multiple times.
>>>>  We can see if anyone does, but thats not always immediately obvious if
>>>> there are a lot of responses.
>>>>
>>>>  The poll owner can edit the spreadsheet to take out 'extra' votes, but
>>>> the totals in the summary are _not_ updated :(
>>>>
>>>>  This means that the summary for the 'RSA' poll is currently wrong - I
>>>> removed one 'extra' vote (which may of course have been accidental) and
>>>> then removed 2 extra votes that I made while testing to see if I could
>>>> easily prevent multiple votes :(
>>>>
>>>>  If anyone has any straightforward solutions to these 2 issues then
>>>> please let me know.
>>>>
>>>>  Simon
>>>>
>>>>
>>>>  On Tue, Jan 7, 2014 at 9:16 PM, Dennis Groves <dennis.groves at owasp.org
>>>> > wrote:
>>>>
>>>>>  I was one of the first to answer the survey, however, let me
>>>>> publicly say that this is an awesome idea Psiinon!
>>>>> We really should be involving the community much more, and this is a
>>>>> great way to do that.
>>>>>
>>>>>
>>>>> On Tue, Jan 7, 2014 at 11:27 AM, Dinis Cruz <dinis.cruz at owasp.org>wrote:
>>>>>
>>>>>> yeah, keep it @owasp.org domain only since that is also a nice perk
>>>>>> for having that email address (and makes the whole process simpler)
>>>>>>
>>>>>>  Rock & Roll Simon, this is a great evolution :)
>>>>>>
>>>>>>  Dinis
>>>>>>
>>>>>>
>>>>>> On 7 January 2014 15:48, <nawaid.iqbal at owasp.org> wrote:
>>>>>>
>>>>>>> I agree with Tobias. People with only owasp.org should only be
>>>>>>> allowed to voice their opinion
>>>>>>>
>>>>>>> Regards
>>>>>>>
>>>>>>> Nawaid
>>>>>>> Sent from BlackBerry® on Airtel
>>>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: psiinon <psiinon at gmail.com>
>>>>>>> Sender: owasp-leaders-bounces at lists.owasp.org
>>>>>>> Date: Tue, 7 Jan 2014 11:55:11
>>>>>>> To: Michael Coates<michael.coates at owasp.org>
>>>>>>> Cc: Kanwal Singh \(WebMentors\)<kanwalsb at gmail.com>; OWASP Leaders<
>>>>>>> owasp-leaders at lists.owasp.org>; Nishant Johar \(EMOBX\)<nj at emobx.com>;
>>>>>>> Ravdeep Sodhi<ravdeep.sodhi at ecoretechnos.com>
>>>>>>> Subject: Re: [Owasp-leaders] Regular OWASP polls
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> OWASP-Leaders mailing list
>>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> OWASP-Leaders mailing list
>>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> OWASP-Leaders mailing list
>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>   --
>>>>> Dennis Groves <http://about.me/dennis.groves>, MSc
>>>>> Email me, <dennis.groves at owasp.org> or schedule a meeting<http://goo.gl/8sPIy>
>>>>> .
>>>>>  *This email is licensed under a CC BY-ND 3.0
>>>>> <http://creativecommons.org/licenses/by-nd/3.0/deed.en_GB> license.*
>>>>> Stand up for your freedom to install free software.<http://www.fsf.org/campaigns/secure-boot/statement>
>>>>> Please do not send me Microsoft Office/Apple iWork documents.
>>>>> Send OpenDocument <http://fsf.org/campaigns/opendocument/> instead!
>>>>>
>>>>>  <http://www.owasp.org/>
>>>>>
>>>>> _______________________________________________
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>>  OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>>>
>>>
>>>
>>>
>>> --
>>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing listOWASP-Leaders at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140108/a14e24b5/attachment-0001.html>


More information about the OWASP-Leaders mailing list