[Owasp-leaders] Higher standards for accepting OWASP projects especially defender library projects

Abdullahi Arabo abdullahi.arabo at owasp.org
Fri Nov 20 21:34:51 UTC 2015


I agree it is best to make it inactive

On Friday, 20 November 2015, Claudia Casanovas <
claudia.aviles-casanovas at owasp.org> wrote:

> If there are no objections I will move the project to inactive at this
> time.
>
> Please let me know if you have any questions or concerns.
>
> Thank you
>
> On Fri, Nov 20, 2015 at 10:46 AM, johanna curiel curiel <
> johanna.curiel at owasp.org
> <javascript:_e(%7B%7D,'cvml','johanna.curiel at owasp.org');>> wrote:
>
>> I would recommend that we also consider the moving the project to in
>> proceed of completion.
>>
>> Hi Claudia, the problem is that project is 'in completion' already, but
>> it has quality issues that won't allow the project to move to LAB . The
>> project is right now inactive.
>>
>>
>>
>> On Fri, Nov 20, 2015 at 2:38 PM, Claudia Casanovas <
>> claudia.aviles-casanovas at owasp.org
>> <javascript:_e(%7B%7D,'cvml','claudia.aviles-casanovas at owasp.org');>>
>> wrote:
>>
>>> We can proceed with moving the project as inactive due to arguments
>>> presented.
>>>
>>> I would recommend that we also consider the moving the project to in
>>> proceed of completion.
>>>
>>> This way the leader has an opportunity to make corrections and if needed
>>> restart the project all together.
>>>
>>> Sent from my iPhone
>>>
>>> On Nov 20, 2015, at 1:26 PM, johanna curiel curiel <
>>> johanna.curiel at owasp.org
>>> <javascript:_e(%7B%7D,'cvml','johanna.curiel at owasp.org');>> wrote:
>>>
>>> Hi Jim
>>>
>>> Based on the arguments the users provided they find this library is not
>>> useful and it must be started from scratch
>>>
>>> They did not consider enough to set a warning which Sven has already done
>>>
>>> I think if a project is not using this space and is so insecure it
>>> should be taken down from the repository, it should be zipped and archived
>>>
>>> regards
>>>
>>> Johanna
>>>
>>> On Fri, Nov 20, 2015 at 2:23 PM, Jim Manico <jim.manico at owasp.org
>>> <javascript:_e(%7B%7D,'cvml','jim.manico at owasp.org');>> wrote:
>>>
>>>> I think it's important we let folks know its out of date or is no
>>>> longer maintained. I think it's fair to "demote" this project.
>>>>
>>>> Rather than remove it from GitHub, I suggest just put a warning on the
>>>> GitHub page that it's no longer being maintained and has security issues.
>>>> Someday, someone may want to fork or update this.
>>>>
>>>> Aloha,
>>>> Jim
>>>>
>>>>
>>>>
>>>> On 11/20/15 12:09 PM, johanna curiel curiel wrote:
>>>>
>>>> Hi Leaders,
>>>>
>>>> There was a very interesting discussion regarding the OWASP PHPSEC
>>>> library.
>>>>
>>>> The issues brought by some users of the library (Andrew Carter, James
>>>> Titcumb, Katy Ereira and Sven Rautenberg (a former contributor)on the
>>>> github repository mailing list is that the library contains many security
>>>> issues ,
>>>> It has not being maintained for more than a year and it should be
>>>> taken down from  OWASP Github repository.
>>>>
>>>> https://github.com/OWASP/phpsec/issues/108#issuecomment-158447768
>>>> https://github.com/OWASP/phpsec/issues/108#issuecomment-158436572
>>>> https://github.com/OWASP/phpsec/issues/108#issuecomment-158428769
>>>> https://github.com/OWASP/phpsec/issues/108#issuecomment-158418384
>>>>
>>>> They all presented quite strong arguments with code references that
>>>> the library,
>>>>  even though  it is an incubator project, they mentioned it can mislead
>>>> potential users of the project to use it (which happened to them)
>>>> They feel OWASP has a responsibility to not allow these projects to be
>>>> under OWASP Github and delete them
>>>>
>>>> While I argument that a lot of effort was put by volunteers, which
>>>> might not obtained the expected results , Andrew Carter argument back:
>>>>
>>>> *Could you confirm to me that you consider the feelings of your
>>>> volunteers and contributors more important than the security of the
>>>> applications developed by people trusting the OWASP namespace?*
>>>>
>>>> He presented a list of issues and also Sven the former contributor
>>>> agreed that sadly, the library should be taken down from Github,but also
>>>> the OWASP inventory (to be set as inactive)
>>>>
>>>> I cc Claudia so this could be taken internally with the staff as PHPSEC
>>>> is not the only inactive library under OWASP Github and it definitely needs
>>>> a clean up
>>>>
>>>> The point I want to bring up is that higher standards are definitely
>>>> needed to allow projects, but especially when these projects are 'security
>>>> libraries'.
>>>>
>>>> Unfortunately, even though volunteers are setting big efforts, I do
>>>> agree this is definitely not an excuse (as Andrew mentioned) to allow them
>>>> when people are trusting the OWASP name for security . Even if it is an
>>>> incubator project.
>>>>
>>>>
>>>>
>>>> Regards
>>>>
>>>> Johanna
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Owasp-board mailing listOwasp-board at lists.owasp.org <javascript:_e(%7B%7D,'cvml','Owasp-board at lists.owasp.org');>https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>
>>>>
>>>> --
>>>> Jim Manico
>>>> Global Board Member
>>>> OWASP Foundationhttps://www.owasp.org
>>>>
>>>>
>>>
>>
>
>
> --
>
>
> Claudia Aviles-Casanovas
> <javascript:_e(%7B%7D,'cvml','claudia.aviles-casanovas at owasp.org');>
> Project Coordinator
> Phone:973-288-1697
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20151120/73c62659/attachment-0001.html>


More information about the OWASP-Leaders mailing list