[Owasp_project_leader_list] OWASP Project Audits

Samantha Groves samantha.groves at owasp.org
Wed Apr 23 19:10:48 UTC 2014


One other thing, in regard to this:

*A more intensive accurate review will be needed for this but ONLY IF
REQUESTED BY THE PROJECT LEADER.*


I agree 100%. I say, from today onward, we only review those projects that
request it, instead of trying to review the full inventory like we were
trying to do last year with the advisors. I think a good lessons learned is
that the reviews do not scale in this way, and it is far more manageable if
we take them on as they are requested. Saying this, we should require
certain information from the leader before a review takes place like having
their repo in Ohloh and a justification. Any objections? I agree with
Johanna and Simon on this.




On Wed, Apr 23, 2014 at 12:06 PM, Samantha Groves <samantha.groves at owasp.org
> wrote:

> Awesome! That's a plan. I have a few questions in relation to this:
>
> 2. How we do it? I leave that up to you guys/the community.
>
> last year I worked on reviewing Incubators Tools & Code projects.The list
> I sent is quite accurate so far and Jim worked updating some info in it. I
> have no time to fill in criteria forms and I don't think this is necessary.
>
> Can you re-send the list? I want to make sure we are talking about the
> same thing.
> To confirm, you only looked at Tool and Code Projects that are Incubators?
> Did you review them based on quality or activity?
> If activity, did you both ask any of the Leaders about their activity? If
> so, did they confirm their activity or inactivity?
>
> Thank you, guys.
>
> SG
>
>
>
> On Wed, Apr 23, 2014 at 11:55 AM, johanna curiel curiel <
> johanna.curiel at owasp.org> wrote:
>
>>
>> 1. I need an as close to as possible accurate list of Active projects by
>> the beginning of June. <-- This is what I care about the most.
>>
>> I'm working on cleaning inactive projects from LABS. Got 1 reaction. I'll
>> send a reminder the coming 3 weeks, no reaction , those projects will be
>> set as inactive.
>> I'll foucs right now on cleaning this list
>>
>> 2. How we do it? I leave that up to you guys/the community.
>>
>> last year I worked on reviewing Incubators Tools & Code projects.The list
>> I sent is quite accurate so far and Jim worked updating some info in it. I
>> have no time to fill in criteria forms and I don't think this is necessary.
>>
>> I based my judgment on activities in the project repository. 0 activity
>> means inactive.
>>
>> I'm researching why are projects becoming inactive. This is part of the
>> pilot project.
>>
>> I have time to review tools & code incubator projects only.
>>
>> *Also if project leaders are not setting an account in ohloh, it makes it
>> difficult to measure but still looking at the repository activities ,
>> mailing list for example also provides this info but it has to be done
>> manually. I'll probably start adding(LAB) OWASP projects in ohloh for the
>> purpose to gathering data metrics.*
>>
>> *Since Incubators are  experiments , I'll not focus my time on them. I
>> consider them so far a playground for experiments. *
>>
>> *If project leaders consider his project deserves to move from Incubator
>> to LAB or to flagship, it will important to demonstrate WHY.*
>>
>> *A more intensive accurate review will be needed for this but ONLY IF
>> REQUESTED BY THE PROJECT LEADER.*
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> On Wed, Apr 23, 2014 at 2:28 PM, Samantha Groves <
>> samantha.groves at owasp.org> wrote:
>>
>>> Great suggestion, guys. Yes, we need to take the other two into account,
>>> as well. I am looping in Johanna as she is working on this, as well.
>>>
>>> Just so we are all clear on what the end game is:
>>>
>>> 1. I need an as close to as possible accurate list of Active projects by
>>> the beginning of June. <-- This is what I care about the most.
>>> 2. How we do it? I leave that up to you guys/the community.
>>> 3. You can use the process/documents I used in the past, but I leave
>>> that up to this team to decide. I trust you all know what you are doing. :-)
>>>
>>> questions/concerns?
>>>
>>>
>>>
>>>
>>> On Wed, Apr 23, 2014 at 12:29 AM, psiinon <psiinon at gmail.com> wrote:
>>>
>>>> Agreed - I was thinking more about code based projects :)
>>>>
>>>>
>>>> On Tue, Apr 22, 2014 at 8:19 PM, Jim Manico <jim.manico at owasp.org>wrote:
>>>>
>>>>> Simon,
>>>>>
>>>>> It depends. A documentation project like the OWASP Top Ten gets
>>>>> released every three years and that seems ok to me. For an active code
>>>>> library I'd expect to see activity every month or two, similar to a
>>>>> assessment tool.
>>>>>
>>>>> Tricky problem here....
>>>>>
>>>>> --
>>>>> Jim Manico
>>>>> @Manicode
>>>>> (808) 652-3805
>>>>>
>>>>> On Apr 22, 2014, at 11:01 AM, Samantha Groves <
>>>>> samantha.groves at owasp.org> wrote:
>>>>>
>>>>> I agree. Lets get started? Who is doing what? I can send our form to
>>>>> the lists.
>>>>>
>>>>>
>>>>> On Tue, Apr 22, 2014 at 11:00 AM, psiinon <psiinon at gmail.com> wrote:
>>>>>
>>>>>> I vote for a relatively aggressive approach to demoting projects.
>>>>>> No apparent code changes, releases or home page edits in the last 12
>>>>>> months? Email leader saying demotion is immanent. No response to email in
>>>>>> one month? Demote.
>>>>>> 1 email explaining why the project is still alive: keep alive for
>>>>>> now..
>>>>>>
>>>>>> That should weed out a load of the deadwood!
>>>>>>
>>>>>> Obviously promoting projects requires a bit more effort, but ask the
>>>>>> leaders to justify promotion as they have a vested interest in making it
>>>>>> so, and that reduces the load on the reviewers.
>>>>>>
>>>>>> Cheers,
>>>>>>
>>>>>> Simon
>>>>>>
>>>>>>
>>>>>> On Tue, Apr 22, 2014 at 6:50 PM, Jim Manico <jim.manico at owasp.org>wrote:
>>>>>>
>>>>>>> Samantha,
>>>>>>>
>>>>>>> What was the result of the previous project audit?
>>>>>>>
>>>>>>> My understanding is that no project has moved up or down the project
>>>>>>> hierarchy in the past few years.
>>>>>>>
>>>>>>> Just curious what the endgame or goal is here.
>>>>>>>
>>>>>>> --
>>>>>>> Jim Manico
>>>>>>> @Manicode
>>>>>>> (808) 652-3805
>>>>>>>
>>>>>>> On Apr 22, 2014, at 10:43 AM, Samantha Groves <
>>>>>>> samantha.groves at owasp.org> wrote:
>>>>>>>
>>>>>>> Thank you guys.
>>>>>>>
>>>>>>> +1 I love it, and I would love it more if I had a handful of people
>>>>>>> pitching in as I think it will go way faster. The last audit took quite a
>>>>>>> while to do. The next one was scheduled to start in June, but we have
>>>>>>> started early.
>>>>>>>
>>>>>>> For reference, this is what I did the last time:
>>>>>>> https://docs.google.com/spreadsheet/ccc?key=0AllOCxlYdf1AdEdCYVJpdmZHaWJYZ055WHROa19qN3c&usp=sharing
>>>>>>>
>>>>>>> I put together the form Simon suggested:
>>>>>>> https://docs.google.com/a/owasp.org/forms/d/14DYS3kY6P2uqJqAMd3F-cMfUPg-DXCK3sQvtggZ1gek/viewform
>>>>>>>
>>>>>>> Let me know what you think. We can e-mail this list, and all of the
>>>>>>> other known active project leaders. They all have 3 weeks to respond, as
>>>>>>> Johanna suggested. I agree with that. After that, the project is marked
>>>>>>> inactive. How does that sound?
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Tue, Apr 22, 2014 at 7:35 AM, Matt Tesauro <
>>>>>>> matt.tesauro at owasp.org> wrote:
>>>>>>>
>>>>>>>> +1
>>>>>>>>
>>>>>>>> I agree that a quick survey of the project leaders may help get
>>>>>>>> enough responses so that a sorting can occur allowing more detailed audits
>>>>>>>> of the more active projects.  If a project won't answer a short form, they
>>>>>>>> are quite unlikely to do a few audit.  Its also possible that I'm ignorant
>>>>>>>> of all the work you're doing on these audits.
>>>>>>>>
>>>>>>>> I do think you're doing awesome (and somewhat thankless) work.  I
>>>>>>>> remember trying to herd the cats while part of the Global Project
>>>>>>>> Committee.  It is not an easy task.  Thanks for all your awesome work so
>>>>>>>> far.
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> -- Matt Tesauro
>>>>>>>> OWASP WTE Project Lead
>>>>>>>> http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
>>>>>>>> http://AppSecLive.org - Community and Download site
>>>>>>>> OWASP OpenStack Security Project Lead
>>>>>>>> https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project
>>>>>>>>
>>>>>>>>
>>>>>>>> On Tue, Apr 22, 2014 at 4:33 AM, psiinon <psiinon at gmail.com> wrote:
>>>>>>>>
>>>>>>>>> Samantha,
>>>>>>>>> cc OWASP Project leaders,
>>>>>>>>>
>>>>>>>>> Auditing all of the OWASP Projects (as per
>>>>>>>>> https://github.com/OWASP/Projects_Task_Force/issues/2) seems to
>>>>>>>>> be a significant undertaking, and its one I think the project leaders could
>>>>>>>>> (and possible _should_) help with.
>>>>>>>>>
>>>>>>>>> How about setting up a simple form with high level questions like:
>>>>>>>>>
>>>>>>>>>    - Project name:
>>>>>>>>>    - Leaders name:
>>>>>>>>>    - Ohloh link:
>>>>>>>>>    - Source control link (if not on Ohloh):
>>>>>>>>>    - Is your project active? (Yes, No, Clinging on for dear life)
>>>>>>>>>    - When was the last release?
>>>>>>>>>    - Link to last release:
>>>>>>>>>    - When do you think the next release will be?
>>>>>>>>>
>>>>>>>>> Or whatever questions you want the answers to, but something that
>>>>>>>>> someone can fill in very quickly.
>>>>>>>>>
>>>>>>>>> Then ask all of the project leaders to fill that out for each of
>>>>>>>>> their projects.
>>>>>>>>>
>>>>>>>>> The audit should go further than this, but at least that would be
>>>>>>>>> really useful input which project leaders should be able to supply quite
>>>>>>>>> easily.
>>>>>>>>>
>>>>>>>>> And if a leader doesnt fill in this form after being prompted a
>>>>>>>>> couple of times then maybe we should just move it to inactive status?
>>>>>>>>>
>>>>>>>>> Cheers,
>>>>>>>>>
>>>>>>>>> Simon
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> Owasp_project_leader_list mailing list
>>>>>>>>> Owasp_project_leader_list at lists.owasp.org
>>>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp_project_leader_list
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>>
>>>>>>> *Samantha Groves, MBA*
>>>>>>>
>>>>>>> *OWASP Projects Manager*
>>>>>>>
>>>>>>>
>>>>>>> The OWASP Foundation
>>>>>>>
>>>>>>> Phoenix, USA
>>>>>>>
>>>>>>> Email: samantha.groves at owasp.org
>>>>>>>
>>>>>>> Skype: samanthahz
>>>>>>>
>>>>>>>
>>>>>>> OWASP Global Projects<https://www.owasp.org/index.php/Category:OWASP_Project>
>>>>>>>
>>>>>>> Book a Meeting with Me <http://goo.gl/mZXdZ>
>>>>>>>
>>>>>>> OWASP Contact US Form <http://owasp4.owasp.org/contactus.html>
>>>>>>>
>>>>>>> New Project Application Form <http://www.tfaforms.com/263506>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>  _______________________________________________
>>>>>>> Owasp_project_leader_list mailing list
>>>>>>> Owasp_project_leader_list at lists.owasp.org
>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp_project_leader_list
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Owasp_project_leader_list mailing list
>>>>>>> Owasp_project_leader_list at lists.owasp.org
>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp_project_leader_list
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>>
>>>>> *Samantha Groves, MBA*
>>>>>
>>>>> *OWASP Projects Manager*
>>>>>
>>>>>
>>>>> The OWASP Foundation
>>>>>
>>>>> Phoenix, USA
>>>>>
>>>>> Email: samantha.groves at owasp.org
>>>>>
>>>>> Skype: samanthahz
>>>>>
>>>>>
>>>>> OWASP Global Projects<https://www.owasp.org/index.php/Category:OWASP_Project>
>>>>>
>>>>> Book a Meeting with Me <http://goo.gl/mZXdZ>
>>>>>
>>>>> OWASP Contact US Form <http://owasp4.owasp.org/contactus.html>
>>>>>
>>>>> New Project Application Form <http://www.tfaforms.com/263506>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>>>
>>>
>>>
>>>
>>> --
>>>
>>> *Samantha Groves, MBA*
>>>
>>> *OWASP Projects Manager*
>>>
>>>
>>> The OWASP Foundation
>>>
>>> Phoenix, USA
>>>
>>> Email: samantha.groves at owasp.org
>>>
>>> Skype: samanthahz
>>>
>>>
>>> OWASP Global Projects<https://www.owasp.org/index.php/Category:OWASP_Project>
>>>
>>> Book a Meeting with Me <http://goo.gl/mZXdZ>
>>>
>>> OWASP Contact US Form <http://owasp4.owasp.org/contactus.html>
>>>
>>> New Project Application Form <http://www.tfaforms.com/263506>
>>>
>>>
>>>
>>>
>>
>
>
> --
>
> *Samantha Groves, MBA*
>
> *OWASP Projects Manager*
>
>
> The OWASP Foundation
>
> Phoenix, USA
>
> Email: samantha.groves at owasp.org
>
> Skype: samanthahz
>
>
> OWASP Global Projects<https://www.owasp.org/index.php/Category:OWASP_Project>
>
> Book a Meeting with Me <http://goo.gl/mZXdZ>
>
> OWASP Contact US Form <http://owasp4.owasp.org/contactus.html>
>
> New Project Application Form <http://www.tfaforms.com/263506>
>
>
>
>


-- 

*Samantha Groves, MBA*

*OWASP Projects Manager*


The OWASP Foundation

Phoenix, USA

Email: samantha.groves at owasp.org

Skype: samanthahz


OWASP Global Projects<https://www.owasp.org/index.php/Category:OWASP_Project>

Book a Meeting with Me <http://goo.gl/mZXdZ>

OWASP Contact US Form <http://owasp4.owasp.org/contactus.html>

New Project Application Form <http://www.tfaforms.com/263506>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_project_leader_list/attachments/20140423/12d2a828/attachment-0001.html>


More information about the Owasp_project_leader_list mailing list