[Owasp_project_leader_list] OWASP Project Audits

Samantha Groves samantha.groves at owasp.org
Wed Apr 23 19:56:45 UTC 2014


unless they want reviews ;-)


On Wed, Apr 23, 2014 at 12:56 PM, Samantha Groves <samantha.groves at owasp.org
> wrote:

> Yes, agreed. I would do it for Labs and current Flagships. We should get
> more help for this. Incubators, can do it on their own if they would like.
> I don't think it should be mandatory for them. Objections?
>
>
> On Wed, Apr 23, 2014 at 12:44 PM, johanna curiel curiel <
> johanna.curiel at owasp.org> wrote:
>
>> Setting on an ohloh account takes only 5 minutes
>>
>> I don't think this is much too ask.
>>
>> But If I alone have to do  5 min x 100 projects then we are talking about
>> spending some quite  time that I think project leaders should do
>>
>> that's why I'm doing this only for labs.
>>
>> regards
>>
>> Johanna
>>
>>
>> On Wed, Apr 23, 2014 at 3:41 PM, johanna curiel curiel <
>> johanna.curiel at owasp.org> wrote:
>>
>>> A few more questions, Johanna. If you are not doing the documentation
>>> projects for the Incubator stage, who is? Any takers?
>>>
>>> Has any sense to review experimental incubator projects? I don't think
>>> so after all the emails regarding the purpose of these reviews and how much
>>> time it requires to do it and that is not realistic to do it etc.
>>>
>>> I personally like to research and test code and tool projects because
>>> I'm a pen tester and programmer but I have no time or interest to read
>>> documentation. And this takes also a lot of time.
>>>
>>> I think that reviewing incubators projects contradicts what we have
>>> mentioned regarding Project reviews.
>>>
>>> Samantha could you clarify what is the purpose of reviewing incubators
>>> projects, especially documentation projects?
>>> again  I mentioned this should be done by request.
>>>
>>>
>>>
>>> On Wed, Apr 23, 2014 at 3:34 PM, johanna curiel curiel <
>>> johanna.curiel at owasp.org> wrote:
>>>
>>>> Are you planning on letting the lab project leaders know you are doing
>>>> this? I recommend at least sending them a quick message of intent. ;-) Just
>>>> my two cents, but that is up to you.
>>>>
>>>> The prefer way to go is that the project leaders set their own account,
>>>> not me.
>>>>
>>>> I think most lab & flagship projects are already in ohloh. I agree on
>>>> sending a message before doing so but I can always change the account
>>>> settings to allow project leaders manage their own accounts
>>>>
>>>>
>>>> On Wed, Apr 23, 2014 at 3:31 PM, Samantha Groves <
>>>> samantha.groves at owasp.org> wrote:
>>>>
>>>>> A few more questions, Johanna. If you are not doing the documentation
>>>>> projects for the Incubator stage, who is? Any takers?
>>>>>
>>>>> Also, in regard to the below statement...
>>>>>
>>>>> *Also if project leaders are not setting an account in ohloh, it makes
>>>>> it difficult to measure but still looking at the repository activities ,
>>>>> mailing list for example also provides this info but it has to be done
>>>>> manually. I'll probably start adding(LAB) OWASP projects in ohloh for the
>>>>> purpose to gathering data metrics.*
>>>>>
>>>>> Are you planning on letting the lab project leaders know you are doing
>>>>> this? I recommend at least sending them a quick message of intent. ;-) Just
>>>>> my two cents, but that is up to you.
>>>>>
>>>>>
>>>>>
>>>>> SG
>>>>>
>>>>>
>>>>>
>>>>> On Wed, Apr 23, 2014 at 12:17 PM, Jim Manico <jim.manico at owasp.org>wrote:
>>>>>
>>>>>> +1 I like this direction, Johanna. :)
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Jim Manico
>>>>>> @Manicode
>>>>>> (808) 652-3805
>>>>>>
>>>>>> On Apr 23, 2014, at 11:55 AM, johanna curiel curiel <
>>>>>> johanna.curiel at owasp.org> wrote:
>>>>>>
>>>>>>
>>>>>> 1. I need an as close to as possible accurate list of Active projects
>>>>>> by the beginning of June. <-- This is what I care about the most.
>>>>>>
>>>>>> I'm working on cleaning inactive projects from LABS. Got 1 reaction.
>>>>>> I'll send a reminder the coming 3 weeks, no reaction , those projects will
>>>>>> be set as inactive.
>>>>>> I'll foucs right now on cleaning this list
>>>>>>
>>>>>> 2. How we do it? I leave that up to you guys/the community.
>>>>>>
>>>>>> last year I worked on reviewing Incubators Tools & Code projects.The
>>>>>> list I sent is quite accurate so far and Jim worked updating some info in
>>>>>> it. I have no time to fill in criteria forms and I don't think this is
>>>>>> necessary.
>>>>>>
>>>>>> I based my judgment on activities in the project repository. 0
>>>>>> activity means inactive.
>>>>>>
>>>>>> I'm researching why are projects becoming inactive. This is part of
>>>>>> the pilot project.
>>>>>>
>>>>>> I have time to review tools & code incubator projects only.
>>>>>>
>>>>>> *Also if project leaders are not setting an account in ohloh, it
>>>>>> makes it difficult to measure but still looking at
>>>>>> the repository activities , mailing list for example also provides this
>>>>>> info but it has to be done manually. I'll probably start adding(LAB) OWASP
>>>>>> projects in ohloh for the purpose to gathering data metrics.*
>>>>>>
>>>>>> *Since Incubators are  experiments , I'll not focus my time on them.
>>>>>> I consider them so far a playground for experiments. *
>>>>>>
>>>>>> *If project leaders consider his project deserves to move from
>>>>>> Incubator to LAB or to flagship, it will important to demonstrate WHY.*
>>>>>>
>>>>>> *A more intensive accurate review will be needed for this but ONLY IF
>>>>>> REQUESTED BY THE PROJECT LEADER.*
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Wed, Apr 23, 2014 at 2:28 PM, Samantha Groves <
>>>>>> samantha.groves at owasp.org> wrote:
>>>>>>
>>>>>>> Great suggestion, guys. Yes, we need to take the other two into
>>>>>>> account, as well. I am looping in Johanna as she is working on this, as
>>>>>>> well.
>>>>>>>
>>>>>>> Just so we are all clear on what the end game is:
>>>>>>>
>>>>>>> 1. I need an as close to as possible accurate list of Active
>>>>>>> projects by the beginning of June. <-- This is what I care about the most.
>>>>>>> 2. How we do it? I leave that up to you guys/the community.
>>>>>>> 3. You can use the process/documents I used in the past, but I leave
>>>>>>> that up to this team to decide. I trust you all know what you are doing. :-)
>>>>>>>
>>>>>>> questions/concerns?
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Wed, Apr 23, 2014 at 12:29 AM, psiinon <psiinon at gmail.com> wrote:
>>>>>>>
>>>>>>>> Agreed - I was thinking more about code based projects :)
>>>>>>>>
>>>>>>>>
>>>>>>>> On Tue, Apr 22, 2014 at 8:19 PM, Jim Manico <jim.manico at owasp.org>wrote:
>>>>>>>>
>>>>>>>>> Simon,
>>>>>>>>>
>>>>>>>>> It depends. A documentation project like the OWASP Top Ten gets
>>>>>>>>> released every three years and that seems ok to me. For an active code
>>>>>>>>> library I'd expect to see activity every month or two, similar to a
>>>>>>>>> assessment tool.
>>>>>>>>>
>>>>>>>>> Tricky problem here....
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Jim Manico
>>>>>>>>> @Manicode
>>>>>>>>> (808) 652-3805
>>>>>>>>>
>>>>>>>>> On Apr 22, 2014, at 11:01 AM, Samantha Groves <
>>>>>>>>> samantha.groves at owasp.org> wrote:
>>>>>>>>>
>>>>>>>>> I agree. Lets get started? Who is doing what? I can send our form
>>>>>>>>> to the lists.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Tue, Apr 22, 2014 at 11:00 AM, psiinon <psiinon at gmail.com>wrote:
>>>>>>>>>
>>>>>>>>>> I vote for a relatively aggressive approach to demoting projects.
>>>>>>>>>> No apparent code changes, releases or home page edits in the last
>>>>>>>>>> 12 months? Email leader saying demotion is immanent. No response to email
>>>>>>>>>> in one month? Demote.
>>>>>>>>>> 1 email explaining why the project is still alive: keep alive for
>>>>>>>>>> now..
>>>>>>>>>>
>>>>>>>>>> That should weed out a load of the deadwood!
>>>>>>>>>>
>>>>>>>>>> Obviously promoting projects requires a bit more effort, but ask
>>>>>>>>>> the leaders to justify promotion as they have a vested interest in making
>>>>>>>>>> it so, and that reduces the load on the reviewers.
>>>>>>>>>>
>>>>>>>>>> Cheers,
>>>>>>>>>>
>>>>>>>>>> Simon
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On Tue, Apr 22, 2014 at 6:50 PM, Jim Manico <jim.manico at owasp.org
>>>>>>>>>> > wrote:
>>>>>>>>>>
>>>>>>>>>>> Samantha,
>>>>>>>>>>>
>>>>>>>>>>> What was the result of the previous project audit?
>>>>>>>>>>>
>>>>>>>>>>> My understanding is that no project has moved up or down the
>>>>>>>>>>> project hierarchy in the past few years.
>>>>>>>>>>>
>>>>>>>>>>> Just curious what the endgame or goal is here.
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> Jim Manico
>>>>>>>>>>> @Manicode
>>>>>>>>>>> (808) 652-3805
>>>>>>>>>>>
>>>>>>>>>>> On Apr 22, 2014, at 10:43 AM, Samantha Groves <
>>>>>>>>>>> samantha.groves at owasp.org> wrote:
>>>>>>>>>>>
>>>>>>>>>>> Thank you guys.
>>>>>>>>>>>
>>>>>>>>>>> +1 I love it, and I would love it more if I had a handful of
>>>>>>>>>>> people pitching in as I think it will go way faster. The last audit took
>>>>>>>>>>> quite a while to do. The next one was scheduled to start in June, but we
>>>>>>>>>>> have started early.
>>>>>>>>>>>
>>>>>>>>>>> For reference, this is what I did the last time:
>>>>>>>>>>> https://docs.google.com/spreadsheet/ccc?key=0AllOCxlYdf1AdEdCYVJpdmZHaWJYZ055WHROa19qN3c&usp=sharing
>>>>>>>>>>>
>>>>>>>>>>> I put together the form Simon suggested:
>>>>>>>>>>> https://docs.google.com/a/owasp.org/forms/d/14DYS3kY6P2uqJqAMd3F-cMfUPg-DXCK3sQvtggZ1gek/viewform
>>>>>>>>>>>
>>>>>>>>>>> Let me know what you think. We can e-mail this list, and all of
>>>>>>>>>>> the other known active project leaders. They all have 3 weeks to respond,
>>>>>>>>>>> as Johanna suggested. I agree with that. After that, the project is marked
>>>>>>>>>>> inactive. How does that sound?
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On Tue, Apr 22, 2014 at 7:35 AM, Matt Tesauro <
>>>>>>>>>>> matt.tesauro at owasp.org> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> +1
>>>>>>>>>>>>
>>>>>>>>>>>> I agree that a quick survey of the project leaders may help get
>>>>>>>>>>>> enough responses so that a sorting can occur allowing more detailed audits
>>>>>>>>>>>> of the more active projects.  If a project won't answer a short form, they
>>>>>>>>>>>> are quite unlikely to do a few audit.  Its also possible that I'm ignorant
>>>>>>>>>>>> of all the work you're doing on these audits.
>>>>>>>>>>>>
>>>>>>>>>>>> I do think you're doing awesome (and somewhat thankless) work.
>>>>>>>>>>>>  I remember trying to herd the cats while part of the Global Project
>>>>>>>>>>>> Committee.  It is not an easy task.  Thanks for all your awesome work so
>>>>>>>>>>>> far.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>> -- Matt Tesauro
>>>>>>>>>>>> OWASP WTE Project Lead
>>>>>>>>>>>> http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
>>>>>>>>>>>> http://AppSecLive.org - Community and Download site
>>>>>>>>>>>> OWASP OpenStack Security Project Lead
>>>>>>>>>>>> https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> On Tue, Apr 22, 2014 at 4:33 AM, psiinon <psiinon at gmail.com>wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>> Samantha,
>>>>>>>>>>>>> cc OWASP Project leaders,
>>>>>>>>>>>>>
>>>>>>>>>>>>> Auditing all of the OWASP Projects (as per
>>>>>>>>>>>>> https://github.com/OWASP/Projects_Task_Force/issues/2) seems
>>>>>>>>>>>>> to be a significant undertaking, and its one I think the project leaders
>>>>>>>>>>>>> could (and possible _should_) help with.
>>>>>>>>>>>>>
>>>>>>>>>>>>> How about setting up a simple form with high level questions
>>>>>>>>>>>>> like:
>>>>>>>>>>>>>
>>>>>>>>>>>>>    - Project name:
>>>>>>>>>>>>>    - Leaders name:
>>>>>>>>>>>>>    - Ohloh link:
>>>>>>>>>>>>>    - Source control link (if not on Ohloh):
>>>>>>>>>>>>>    - Is your project active? (Yes, No, Clinging on for dear
>>>>>>>>>>>>>    life)
>>>>>>>>>>>>>    - When was the last release?
>>>>>>>>>>>>>    - Link to last release:
>>>>>>>>>>>>>    - When do you think the next release will be?
>>>>>>>>>>>>>
>>>>>>>>>>>>> Or whatever questions you want the answers to, but something
>>>>>>>>>>>>> that someone can fill in very quickly.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Then ask all of the project leaders to fill that out for each
>>>>>>>>>>>>> of their projects.
>>>>>>>>>>>>>
>>>>>>>>>>>>> The audit should go further than this, but at least that would
>>>>>>>>>>>>> be really useful input which project leaders should be able to supply quite
>>>>>>>>>>>>> easily.
>>>>>>>>>>>>>
>>>>>>>>>>>>> And if a leader doesnt fill in this form after being prompted
>>>>>>>>>>>>> a couple of times then maybe we should just move it to inactive status?
>>>>>>>>>>>>>
>>>>>>>>>>>>> Cheers,
>>>>>>>>>>>>>
>>>>>>>>>>>>> Simon
>>>>>>>>>>>>>
>>>>>>>>>>>>> --
>>>>>>>>>>>>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>>>>>>>>>>>>
>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>> Owasp_project_leader_list mailing list
>>>>>>>>>>>>> Owasp_project_leader_list at lists.owasp.org
>>>>>>>>>>>>>
>>>>>>>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp_project_leader_list
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>>
>>>>>>>>>>> *Samantha Groves, MBA*
>>>>>>>>>>>
>>>>>>>>>>> *OWASP Projects Manager*
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> The OWASP Foundation
>>>>>>>>>>>
>>>>>>>>>>> Phoenix, USA
>>>>>>>>>>>
>>>>>>>>>>> Email: samantha.groves at owasp.org
>>>>>>>>>>>
>>>>>>>>>>> Skype: samanthahz
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> OWASP Global Projects<https://www.owasp.org/index.php/Category:OWASP_Project>
>>>>>>>>>>>
>>>>>>>>>>> Book a Meeting with Me <http://goo.gl/mZXdZ>
>>>>>>>>>>>
>>>>>>>>>>> OWASP Contact US Form <http://owasp4.owasp.org/contactus.html>
>>>>>>>>>>>
>>>>>>>>>>> New Project Application Form <http://www.tfaforms.com/263506>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>  _______________________________________________
>>>>>>>>>>> Owasp_project_leader_list mailing list
>>>>>>>>>>> Owasp_project_leader_list at lists.owasp.org
>>>>>>>>>>>
>>>>>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp_project_leader_list
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> _______________________________________________
>>>>>>>>>>> Owasp_project_leader_list mailing list
>>>>>>>>>>> Owasp_project_leader_list at lists.owasp.org
>>>>>>>>>>>
>>>>>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp_project_leader_list
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>>
>>>>>>>>> *Samantha Groves, MBA*
>>>>>>>>>
>>>>>>>>> *OWASP Projects Manager*
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> The OWASP Foundation
>>>>>>>>>
>>>>>>>>> Phoenix, USA
>>>>>>>>>
>>>>>>>>> Email: samantha.groves at owasp.org
>>>>>>>>>
>>>>>>>>> Skype: samanthahz
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> OWASP Global Projects<https://www.owasp.org/index.php/Category:OWASP_Project>
>>>>>>>>>
>>>>>>>>> Book a Meeting with Me <http://goo.gl/mZXdZ>
>>>>>>>>>
>>>>>>>>> OWASP Contact US Form <http://owasp4.owasp.org/contactus.html>
>>>>>>>>>
>>>>>>>>> New Project Application Form <http://www.tfaforms.com/263506>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>>
>>>>>>> *Samantha Groves, MBA*
>>>>>>>
>>>>>>> *OWASP Projects Manager*
>>>>>>>
>>>>>>>
>>>>>>> The OWASP Foundation
>>>>>>>
>>>>>>> Phoenix, USA
>>>>>>>
>>>>>>> Email: samantha.groves at owasp.org
>>>>>>>
>>>>>>> Skype: samanthahz
>>>>>>>
>>>>>>>
>>>>>>> OWASP Global Projects<https://www.owasp.org/index.php/Category:OWASP_Project>
>>>>>>>
>>>>>>> Book a Meeting with Me <http://goo.gl/mZXdZ>
>>>>>>>
>>>>>>> OWASP Contact US Form <http://owasp4.owasp.org/contactus.html>
>>>>>>>
>>>>>>> New Project Application Form <http://www.tfaforms.com/263506>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>>
>>>>> *Samantha Groves, MBA*
>>>>>
>>>>> *OWASP Projects Manager*
>>>>>
>>>>>
>>>>> The OWASP Foundation
>>>>>
>>>>> Phoenix, USA
>>>>>
>>>>> Email: samantha.groves at owasp.org
>>>>>
>>>>> Skype: samanthahz
>>>>>
>>>>>
>>>>> OWASP Global Projects<https://www.owasp.org/index.php/Category:OWASP_Project>
>>>>>
>>>>> Book a Meeting with Me <http://goo.gl/mZXdZ>
>>>>>
>>>>> OWASP Contact US Form <http://owasp4.owasp.org/contactus.html>
>>>>>
>>>>> New Project Application Form <http://www.tfaforms.com/263506>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>
>>
>
>
> --
>
> *Samantha Groves, MBA*
>
> *OWASP Projects Manager*
>
>
> The OWASP Foundation
>
> Phoenix, USA
>
> Email: samantha.groves at owasp.org
>
> Skype: samanthahz
>
>
> OWASP Global Projects<https://www.owasp.org/index.php/Category:OWASP_Project>
>
> Book a Meeting with Me <http://goo.gl/mZXdZ>
>
> OWASP Contact US Form <http://owasp4.owasp.org/contactus.html>
>
> New Project Application Form <http://www.tfaforms.com/263506>
>
>
>
>


-- 

*Samantha Groves, MBA*

*OWASP Projects Manager*


The OWASP Foundation

Phoenix, USA

Email: samantha.groves at owasp.org

Skype: samanthahz


OWASP Global Projects<https://www.owasp.org/index.php/Category:OWASP_Project>

Book a Meeting with Me <http://goo.gl/mZXdZ>

OWASP Contact US Form <http://owasp4.owasp.org/contactus.html>

New Project Application Form <http://www.tfaforms.com/263506>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_project_leader_list/attachments/20140423/de195717/attachment-0001.html>


More information about the Owasp_project_leader_list mailing list