search

owasp-change / owasp-change.github.io

An Open Letter to the OWASP Board
https://owasp-change.github.io/
Apache License 2.0
106 stars 84 forks source link

README.md needs clarification as to whom is invited to sign this #66

Open kwwall opened 1 year ago

kwwall commented 1 year ago

As a project co-leader of a former flagship project (ESAPI) that was demoted to 'Lab' status for some of the very reasons mentioned in this letter as well as one who holds an OWASP lifetime membership, I fully support @curphey's call on LinkedIn to get greater participation than seems to be implied in the third paragraph of the open letter. I am not merely nitpicking here, but am concerned that if we don't change this some will read this and think "I'm neither a flagship project leader nor a lifelong contributor, so I should not be signing this". I don't want that to happen.

Here's how I see an issue...in the README.md, in the 3rd paragraph, it states (emphasis added):

As a group of OWASP flagship project leaders and lifelong contributors, we believe that OWASP hasn't kept pace and evolved to support the needs of important parts of our community today, especially our flagship projects. What worked in the past simply isn’t working now and OWASP needs to change.

By contrast, @curphey writes in his LinkedIn post:

This morning, along with a set of project leaders, long time OWASP participants and a fellow board member, I cosigned an open letter to the OWASP Foundation and Board of Directors, asking for change.

You can read the letter at https://lnkd.in/eM_5Nw-s - If you agree we ask you to co-sign it by creating a PR adding your name to the letter. You do not need to be an OWASP member to sign. Your voice is important.

This seems to target two somewhat different (but overlapping audiences), with those mentioned in the LinkedIn post having the larger population.

I bring this up because if I recall correctly, at recent global OWASP meetings this past summer, there was discussion of possibly our original charter requiring chapter and project leadership being restricted to OWASP members. (Or, perhaps I am misremembering and that was a proposal that was put forth by the board.)

Certainly, the confusion arises from the 'we' referring to the original authors versus the 'we' representing the collective set of signatures. (Obviously, not everyone who has currently signed this belongs to a current group of OWASP flagship contributors and technically (and perhaps legally) no one is a 'lifelong contributor' (unless perhaps you started out contributing to OWASP at birth; if so, I want a picture of you in your OWASP diapers). So, perhaps this was meant to say 'lifetime member'?

Regardless, I think this could be resolved in simple fashion by having distinguishing the 'we' referring to the original authors vs the 'we' representing the signatories. This could be done by after the 'Yours truly' closing and the original authors, to create a divider (maybe an \<hr> tag) and then write something like:

We the undersigned support the above letter to the OWASP Board of Directors and the Executive Director of the OWASP Foundation:

and then place the remaining "signatures" under that.

kingthorin commented 1 year ago

We definitely can't change it after that many signatures. However, I see nothing wrong with an HR and some clarification.