<div dir="ltr">Hi Simon,<br><div class="gmail_extra"><br></div><div class="gmail_extra">thank you for your idea and your realizing a fast possibility to get a poll within OWASP.<br></div><div class="gmail_extra"><br>What do you think about not storing the email-address, but a salted hash (and not publishing the salt).<br>

</div><div class="gmail_extra">You could still see if anyone votes twice without making the votes public.<br></div><div class="gmail_extra"><br></div><div class="gmail_extra">@ Simon: <br></div><div class="gmail_extra">> I'm fine with the voting details (and therefore email addresses) being publicly visible - is everyone else?<br>
</div><div class="gmail_extra">@ Dinis:<br>> Having the list of who voted on what is key to have transparency (and 
detect issues like the one I alerted Simon to (the double vote))<br><br></div><div class="gmail_extra">Sorry, but I don't see the public presentation of individual votes as an openness. I do think that the individual votes should stay secret due to privacy protection.<br>
</div><div class="gmail_extra">For me this openness makes only sense for public representatives, like the board members.<br></div><div class="gmail_extra">
<br></div><div class="gmail_extra">Kind regards<br><br></div><div class="gmail_extra">Cheers<div class=""><div id=":19j" class="" tabindex="0"><span class=""><font color="#888888">Torsten<br></font></span></div></div></div>
<span class=""></span></div><div class="gmail_extra"><br><br><div class="gmail_quote">2014/1/8 Dinis Cruz <span dir="ltr"><<a href="mailto:dinis.cruz@owasp.org" target="_blank">dinis.cruz@owasp.org</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<p dir="ltr">Voters should stand by their vote, and if they can be influenced by other data (like other votes) then that is a different problem. Also sometimes the end date of a vote might not be very well defined.</p>
<p dir="ltr">Having the list of who voted on what is key to have transparency (and detect issues like the one I alerted Simon to (the double vote))</p>
<p dir="ltr">I think we need a solution for non @<a href="http://owasp.org" target="_blank">owasp.org</a> emails, so let's see if we can figure that out (the key is to be able to map an vote with an recognised owasp identity/person)</p>


<div class="gmail_quote">On 8 Jan 2014 15:23, "Konstantinos Papapanagiotou" <<a href="mailto:Konstantinos@owasp.org" target="_blank">Konstantinos@owasp.org</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

<div dir="ltr">Hiding the results of the poll until it closes also prevents biased votes. It's not a matter of openness in my opinion.<div><br></div><div>Kostas</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">



On Wed, Jan 8, 2014 at 5:13 PM, Tobias <span dir="ltr"><<a href="mailto:tobias.gondrom@owasp.org" target="_blank">tobias.gondrom@owasp.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">




  
    
  
  <div bgcolor="#FFFFFF" text="#000000">
    <div>Dear Simon, <br>
      <br>
      thank you so much for organising this and setting this up.<br>
      This is great and I will be looking forward to using this
      community poll more in the future!<br>
      <br>
      And I totally agree with your replies to requests from non-owasp
      email holders. <br>
      Nothing is perfect and the tool is as it is and naturally has some
      technical limitations. In case of public requests, it is fully
      sufficient to make available simple summary results after the
      survey is closed. We don't need to make huge investments just to
      publish partial real-time preliminary update results for the
      public. In most normal cases, surveys don't even have preliminary
      status updates at all. <br>
      <br>
      All the best, Tobias<br>
      <br>
      <br>
      Ps.: on a technical term, one might also question the requesters
      argument that an internal member poll for a decision would qualify
      as "OWASP materials". However, personally I just love openness and
      transparency and would encourage and embrace if we could post the
      end summary results of our community surveys somewhere on our
      website after they are finished. (Without publishing details how
      each single named individual voted in the poll.)<div><div><br>
      <br>
      <br>
      <br>
      On 08/01/14 14:40, psiinon wrote:<br>
    </div></div></div><div><div>
    <blockquote type="cite">
      <div dir="ltr">
        <div>
          <div>
            <div>
              <div>
                <div>And another problem...<br>
                  <br>
                </div>
                I've been receiving _lots_ of requests to access the
                form from non OWASP accounts.<br>
              </div>
              I have replied to all of them with a canned response of:<br>
              <div style="margin-left:40px">I'm afraid this poll is
                currently only available to people with OWASP email
                accounts to ensure that only OWASP members /
                contributors take part.<br>
                <br>
                To get an OWASP email address follow the link on <a href="https://www.owasp.org/index.php/Owasp.org_email_address" target="_blank">https://www.owasp.org/index.php/Owasp.org_email_address</a><br>
                <br>
                Cheers,<br>
                <br>
                Simon<br>
              </div>
              <br>
            </div>
            However I've just received a reply of:<br>
            <div style="margin-left:40px">Dear Simon,
              <div><br>
                <div>the main page of the owasp website states "all of
                  our materials are available under a free and open
                  software license". Thus I again ask for these
                  materials. </div>
                <div><br>
                </div>
                <div>Best regards,</div>
                <div>a long-time owasp follower</div>
              </div>
              <div><br>
              </div>
              <div>PS: Thanks, I don't need these information, but I am
                just surprised that being an all open and free project,
                you deny access to these informtion? Isn't that ignoring
                the foundaries of the project?<br>
                <br>
              </div>
            </div>
            <div>For now I'm going to stick with the statement I put on
              <a href="https://www.owasp.org/index.php/Polls" target="_blank">https://www.owasp.org/index.php/Polls</a>:<br>
              <div style="margin-left:40px">Note that only OWASP members
                can see the 'live' results. A summary of the results
                will be made public when the poll closes, but the full
                details will stay restricted to OWASP members to prevent
                email harvesting.
              </div>
            </div>
            <br>
          </div>
          However I want to let anyone else have a say on this rather
          than it being just my decision.<br>
          <br>
        </div>
        Simon<br>
      </div>
      <div class="gmail_extra"><br>
        <br>
        <div class="gmail_quote">On Wed, Jan 8, 2014 at 2:34 PM, psiinon
          <span dir="ltr"><<a href="mailto:psiinon@gmail.com" target="_blank">psiinon@gmail.com</a>></span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div dir="ltr">
              <div>
                <div>
                  <div>
                    <div>
                      <div>OK, it looks like Google Forms arent _quite_
                        as good as they initially seem :(<br>
                        <br>
                      </div>
                      For a start, there is no easy way to prevent
                      anyone from voting multiple times.<br>
                    </div>
                    We can see if anyone does, but thats not always
                    immediately obvious if there are a lot of responses.<br>
                    <br>
                  </div>
                  The poll owner can edit the spreadsheet to take out
                  'extra' votes, but the totals in the summary are _not_
                  updated :(<br>
                  <br>
                </div>
                This means that the summary for the 'RSA' poll is
                currently wrong - I removed one 'extra' vote (which may
                of course have been accidental) and then removed 2 extra
                votes that I made while testing to see if I could easily
                prevent multiple votes :(<br>
                <br>
              </div>
              <div>If anyone has any straightforward solutions to these
                2 issues then please let me know.<br>
              </div>
              <div><br>
              </div>
              Simon<br>
            </div>
            <div class="gmail_extra">
              <div>
                <div><br>
                  <br>
                  <div class="gmail_quote">
                    On Tue, Jan 7, 2014 at 9:16 PM, Dennis Groves <span dir="ltr"><<a href="mailto:dennis.groves@owasp.org" target="_blank">dennis.groves@owasp.org</a>></span>
                    wrote:<br>
                    <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                      <div dir="ltr">
                        <div>I was one of the first to answer the
                          survey, however, let me publicly say that this
                          is an awesome idea Psiinon!</div>
                        <div>We really should be involving the community
                          much more, and this is a great way to do
                          that. </div>
                      </div>
                      <div class="gmail_extra">
                        <div>
                          <div><br>
                            <br>
                            <div class="gmail_quote">On Tue, Jan 7, 2014
                              at 11:27 AM, Dinis Cruz <span dir="ltr"><<a href="mailto:dinis.cruz@owasp.org" target="_blank">dinis.cruz@owasp.org</a>></span>
                              wrote:<br>
                              <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                                <div dir="ltr">yeah, keep it @<a href="http://owasp.org" target="_blank">owasp.org</a> domain
                                  only since that is also a nice perk
                                  for having that email address (and
                                  makes the whole process simpler)
                                  <div>
                                    <br>
                                  </div>
                                  <div>Rock & Roll Simon, this is a
                                    great evolution :)</div>
                                  <span><font color="#888888">
                                      <div><br>
                                      </div>
                                      <div>Dinis</div>
                                    </font></span></div>
                                <div>
                                  <div>
                                    <div class="gmail_extra"><br>
                                      <br>
                                      <div class="gmail_quote">On 7
                                        January 2014 15:48, <span dir="ltr"><<a href="mailto:nawaid.iqbal@owasp.org" target="_blank">nawaid.iqbal@owasp.org</a>></span>
                                        wrote:<br>
                                        <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I
                                          agree with Tobias. People with
                                          only <a href="http://owasp.org" target="_blank">owasp.org</a>
                                          should only be allowed to
                                          voice their opinion<br>
                                          <br>
                                          Regards<br>
                                          <br>
                                          Nawaid<br>
                                          Sent from BlackBerry® on
                                          Airtel<br>
                                          <div>
                                            <div><br>
                                              -----Original Message-----<br>
                                              From: psiinon <<a href="mailto:psiinon@gmail.com" target="_blank">psiinon@gmail.com</a>><br>
                                              Sender: <a href="mailto:owasp-leaders-bounces@lists.owasp.org" target="_blank">owasp-leaders-bounces@lists.owasp.org</a><br>
                                              Date: Tue, 7 Jan 2014
                                              11:55:11<br>
                                              To: Michael Coates<<a href="mailto:michael.coates@owasp.org" target="_blank">michael.coates@owasp.org</a>><br>
                                              Cc: Kanwal Singh
                                              \(WebMentors\)<<a href="mailto:kanwalsb@gmail.com" target="_blank">kanwalsb@gmail.com</a>>;
                                              OWASP Leaders<<a href="mailto:owasp-leaders@lists.owasp.org" target="_blank">owasp-leaders@lists.owasp.org</a>>;
                                              Nishant Johar
                                              \(EMOBX\)<<a href="mailto:nj@emobx.com" target="_blank">nj@emobx.com</a>>;
                                              Ravdeep Sodhi<<a href="mailto:ravdeep.sodhi@ecoretechnos.com" target="_blank">ravdeep.sodhi@ecoretechnos.com</a>><br>
                                              Subject: Re:
                                              [Owasp-leaders] Regular
                                              OWASP polls<br>
                                              <br>
_______________________________________________<br>
                                              OWASP-Leaders mailing list<br>
                                              <a href="mailto:OWASP-Leaders@lists.owasp.org" target="_blank">OWASP-Leaders@lists.owasp.org</a><br>
                                              <a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a><br>
                                              <br>
_______________________________________________<br>
                                              OWASP-Leaders mailing list<br>
                                              <a href="mailto:OWASP-Leaders@lists.owasp.org" target="_blank">OWASP-Leaders@lists.owasp.org</a><br>
                                              <a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a><br>
                                            </div>
                                          </div>
                                        </blockquote>
                                      </div>
                                      <br>
                                    </div>
                                  </div>
                                </div>
                                <br>
_______________________________________________<br>
                                OWASP-Leaders mailing list<br>
                                <a href="mailto:OWASP-Leaders@lists.owasp.org" target="_blank">OWASP-Leaders@lists.owasp.org</a><br>
                                <a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a><br>
                                <br>
                              </blockquote>
                            </div>
                            <br>
                            <br clear="all">
                            <div><br>
                            </div>
                          </div>
                        </div>
                        <span><font color="#888888">-- <br>
                            <span><span style="font-family:verdana,sans-serif"><font size="1"><span style="border-collapse:collapse"><a href="http://about.me/dennis.groves" target="_blank">Dennis Groves</a>,
                                    MSc</span></font></span></span>
                            <div>
                              <span><span style="font-family:verdana,sans-serif"><font size="1"><span style="border-collapse:collapse"><a href="mailto:dennis.groves@owasp.org" target="_blank">Email me,</a> or
                                      <a href="http://goo.gl/8sPIy" target="_blank">schedule a
                                        meeting</a>.<br>
                                    </span></font></span></span></div>
                            <div>
                              <div style="text-align:left"><i><span><span style="font-family:verdana,sans-serif"><font size="1">This email is
                                        licensed under a <a rel="license" href="http://creativecommons.org/licenses/by-nd/3.0/deed.en_GB" target="_blank">CC BY-ND 3.0</a>
                                        <font size="1">license</font>.</font></span></span></i></div>
                              <div style="text-align:left"><span style="font-family:verdana,sans-serif"><font size="1"><font color="#999999"><span style="border-collapse:collapse"><span><span style="background-color:rgb(255,255,0)"><a href="http://www.fsf.org/campaigns/secure-boot/statement" target="_blank">Stand up
                                              for your freedom to
                                              install free software.</a></span></span><br>
                                      </span></font></font></span><span style="font-family:verdana,sans-serif"><font size="1"><font color="#999999"><span style="border-collapse:collapse"><span style="color:rgb(102,102,102)">Please
                                          do not send me Microsoft
                                          Office/Apple iWork documents.
                                          <br>
                                          Send <a href="http://fsf.org/campaigns/opendocument/" target="_blank">OpenDocument</a>
                                          instead!</span><br>
                                        <br>
                                      </span></font></font></span>
                                <div style="text-align:left"><span style="font-family:verdana,sans-serif"><font size="1"><font color="#999999"><span style="border-collapse:collapse"><a href="http://www.owasp.org/" target="_blank"><img height="36" width="200"></a></span></font></font></span><br>




                                </div>
                                <span style="font-family:verdana,sans-serif"></span></div>
                            </div>
                          </font></span></div>
                      <br>
                      _______________________________________________<br>
                      OWASP-Leaders mailing list<br>
                      <a href="mailto:OWASP-Leaders@lists.owasp.org" target="_blank">OWASP-Leaders@lists.owasp.org</a><br>
                      <a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a><br>
                      <br>
                    </blockquote>
                  </div>
                  <br>
                  <br clear="all">
                  <br>
                  -- <br>
                </div>
              </div>
              <a href="https://www.owasp.org/index.php/ZAP" target="_blank">OWASP ZAP</a> Project leader<br>
            </div>
          </blockquote>
        </div>
        <br>
        <br clear="all">
        <br>
        -- <br>
        <a href="https://www.owasp.org/index.php/ZAP" target="_blank">OWASP
          ZAP</a> Project leader<br>
      </div>
      <br>
      <fieldset></fieldset>
      <br>
      <pre>_______________________________________________
OWASP-Leaders mailing list
<a href="mailto:OWASP-Leaders@lists.owasp.org" target="_blank">OWASP-Leaders@lists.owasp.org</a>
<a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a>
</pre>
    </blockquote>
    <br>
  </div></div></div>

<br>_______________________________________________<br>
OWASP-Leaders mailing list<br>
<a href="mailto:OWASP-Leaders@lists.owasp.org" target="_blank">OWASP-Leaders@lists.owasp.org</a><br>
<a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a><br>
<br></blockquote></div><br></div>
<br>_______________________________________________<br>
OWASP-Leaders mailing list<br>
<a href="mailto:OWASP-Leaders@lists.owasp.org" target="_blank">OWASP-Leaders@lists.owasp.org</a><br>
<a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a><br>
<br></blockquote></div>
<br>_______________________________________________<br>
OWASP-Leaders mailing list<br>
<a href="mailto:OWASP-Leaders@lists.owasp.org">OWASP-Leaders@lists.owasp.org</a><br>
<a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a><br>
<br></blockquote></div><br></div>