[Owasp-leaders] [Owasp-board] Higher standards for accepting OWASP projects especially defender library projects

Claudia Casanovas claudia.aviles-casanovas at owasp.org
Fri Nov 20 19:29:27 UTC 2015


If there are no objections I will move the project to inactive at this time.

Please let me know if you have any questions or concerns.

Thank you

On Fri, Nov 20, 2015 at 10:46 AM, johanna curiel curiel <
johanna.curiel at owasp.org> wrote:

> I would recommend that we also consider the moving the project to in
> proceed of completion.
>
> Hi Claudia, the problem is that project is 'in completion' already, but it
> has quality issues that won't allow the project to move to LAB . The
> project is right now inactive.
>
>
>
> On Fri, Nov 20, 2015 at 2:38 PM, Claudia Casanovas <
> claudia.aviles-casanovas at owasp.org> wrote:
>
>> We can proceed with moving the project as inactive due to arguments
>> presented.
>>
>> I would recommend that we also consider the moving the project to in
>> proceed of completion.
>>
>> This way the leader has an opportunity to make corrections and if needed
>> restart the project all together.
>>
>> Sent from my iPhone
>>
>> On Nov 20, 2015, at 1:26 PM, johanna curiel curiel <
>> johanna.curiel at owasp.org> wrote:
>>
>> Hi Jim
>>
>> Based on the arguments the users provided they find this library is not
>> useful and it must be started from scratch
>>
>> They did not consider enough to set a warning which Sven has already done
>>
>> I think if a project is not using this space and is so insecure it should
>> be taken down from the repository, it should be zipped and archived
>>
>> regards
>>
>> Johanna
>>
>> On Fri, Nov 20, 2015 at 2:23 PM, Jim Manico <jim.manico at owasp.org> wrote:
>>
>>> I think it's important we let folks know its out of date or is no longer
>>> maintained. I think it's fair to "demote" this project.
>>>
>>> Rather than remove it from GitHub, I suggest just put a warning on the
>>> GitHub page that it's no longer being maintained and has security issues.
>>> Someday, someone may want to fork or update this.
>>>
>>> Aloha,
>>> Jim
>>>
>>>
>>>
>>> On 11/20/15 12:09 PM, johanna curiel curiel wrote:
>>>
>>> Hi Leaders,
>>>
>>> There was a very interesting discussion regarding the OWASP PHPSEC
>>> library.
>>>
>>> The issues brought by some users of the library (Andrew Carter, James
>>> Titcumb, Katy Ereira and Sven Rautenberg (a former contributor)on the
>>> github repository mailing list is that the library contains many security
>>> issues ,
>>> It has not being maintained for more than a year and it should be taken
>>> down from  OWASP Github repository.
>>>
>>> https://github.com/OWASP/phpsec/issues/108#issuecomment-158447768
>>> https://github.com/OWASP/phpsec/issues/108#issuecomment-158436572
>>> https://github.com/OWASP/phpsec/issues/108#issuecomment-158428769
>>> https://github.com/OWASP/phpsec/issues/108#issuecomment-158418384
>>>
>>> They all presented quite strong arguments with code references that
>>> the library,
>>>  even though  it is an incubator project, they mentioned it can mislead
>>> potential users of the project to use it (which happened to them)
>>> They feel OWASP has a responsibility to not allow these projects to be
>>> under OWASP Github and delete them
>>>
>>> While I argument that a lot of effort was put by volunteers, which might
>>> not obtained the expected results , Andrew Carter argument back:
>>>
>>> *Could you confirm to me that you consider the feelings of your
>>> volunteers and contributors more important than the security of the
>>> applications developed by people trusting the OWASP namespace?*
>>>
>>> He presented a list of issues and also Sven the former contributor
>>> agreed that sadly, the library should be taken down from Github,but also
>>> the OWASP inventory (to be set as inactive)
>>>
>>> I cc Claudia so this could be taken internally with the staff as PHPSEC
>>> is not the only inactive library under OWASP Github and it definitely needs
>>> a clean up
>>>
>>> The point I want to bring up is that higher standards are definitely
>>> needed to allow projects, but especially when these projects are 'security
>>> libraries'.
>>>
>>> Unfortunately, even though volunteers are setting big efforts, I do
>>> agree this is definitely not an excuse (as Andrew mentioned) to allow them
>>> when people are trusting the OWASP name for security . Even if it is an
>>> incubator project.
>>>
>>>
>>>
>>> Regards
>>>
>>> Johanna
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Owasp-board mailing listOwasp-board at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-board
>>>
>>>
>>> --
>>> Jim Manico
>>> Global Board Member
>>> OWASP Foundationhttps://www.owasp.org
>>>
>>>
>>
>


-- 


Claudia Aviles-Casanovas <claudia.aviles-casanovas at owasp.org>
Project Coordinator
Phone:973-288-1697
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20151120/8aa389a8/attachment.html>


More information about the OWASP-Leaders mailing list