[Owasp-leaders] [Owasp-board] Proposal Plan for incentive plan for Project leaders- updated: Board meeting 17th February

johanna curiel curiel johanna.curiel at owasp.org
Sun Feb 7 20:30:58 UTC 2016


Hi Kevin

The criteria is just a basic guideline. The reviewer will always have to
analyse the situation of that project in order to provide some advise.
Example, the review done to Java Sanitizer:
https://gitprint.com/jowasp/review-features/blob/master/example_review.md

The code measure by github says 'low activity' but the code exists since 4
years and has continuous development, so in this case is not just black and
white. As a reviewer I argument that based on the code based stability it
complies with this.

If you noticed, a stable release project wont need probably continuos
development or releases, it depends. I find this quite normal.
To graduate it must have a release and a version. The reviewer could
argument that the project has a stable release.
The important thing is not the amount of issues but the presence of a bug
tracking system

Please feel free to comment this on the criteria and we can adapt also the
interpretation of it. Especially because code projects tend to develop a
little different that tools.

The most important criteria for graduation into LAB is industry recognition
and community adoption.

We need to have some sort of tangible measurable indicator that this is the
case for the project and the community agrees with the graduation of the
project and the review done

Cheers

Johanna

On Sun, Feb 7, 2016 at 12:36 PM, Kevin W. Wall <kevin.w.wall at gmail.com>
wrote:

> On Sat, Feb 6, 2016 at 7:32 PM, johanna curiel curiel
> <johanna.curiel at owasp.org> wrote:
> > Hi Board members & Project leaders
> >
> > I have updated the proposal plan
> >
> >
> https://docs.google.com/document/d/1PvNeEWgoO1w51VhHLwqqSgo0mBh-RvmSFUKMTz4QrYg/edit?pref=2&pli=1#heading=h.lw77ixr6kxi
> >
> > Big changes are:
> >
> > Simplified and concrete Project Review criterion based on community
> feedback
> > Development of Review portal for automation purposes and community
> > involvement
> > QA reviews only by request in case project has not received any reviews
> and
> > wishes to graduate
> > Graduation Budget
> >
> > @Project Leaders:
> > We will be discussing this proposal on with the board on the 17th
> february.
> > Please feel free to comment on the document and participate during the
> > meeting
>
> I made a few comments, but there was one comment that I wanted to add that
> I wasn't sure where to place it at, so I will make it here.
>
> One concern that I have is trying to force all projects into the same
> criteria for
> advancement from incubator-->lab-->flagship. I believe that there are some
> outlier projects that don't fit the usual criteria as laid out here
> and other places.
>
> I think a good example of this is the Java Encoder Project
> (https://www.owasp.org/index.php/OWASP_Java_Encoder_Project).
>
> The status of that project is only "incubator", in part because there has
> not
> been a constant stream of releases. But in this specific case, does there
> really NEED to be? I have not heard anyone mention that "there needs to
> be this type of encoding that is currently not present", nor "this encoding
> is wrong". This project seems rock solid to me and I have personally been
> recommending it for those who were _only_ looking for a solution for
> output encoding over ESAPI (and not just because until recently,
> ESAPI has been rather inactive; the Java Encoder Project is much
> lighter weight and thus a better fit if that's all you need). Looking at
> the GitHub issues, there are NO issues and there is only one minor
> pull request (a one character fix to a typo in a comment).  Now it could
> be that there are just not enough developers using it. I don't know
> how many times that it has been downloaded and more importantly,
> how often it is actually being used in applications. But in my personal
> opinion, it is long overdue for at least getting the Java Encoder Project
> promoted to Lab status. I think it part, is because it doesn't meet that
> "regular release" criteria, but then I'd have to ask, if they have no
> bug fixes, what enhancements would you have them add?
>
> Just my $.02,
> -kevin
>
> --
> Blog: http://off-the-wall-security.blogspot.com/    | Twitter: @KevinWWall
> NSA: All your crypto bit are belong to us.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160207/1091bab2/attachment.html>


More information about the OWASP-Leaders mailing list