There are 3 clarifications to cover, I’ve used headings to make the individual bits easy to find.
Changes to ACv2:
Based on traffic on the OWASP Leaders list coupled with interactions of project leaders with the GPC, I took away a couple of action items which will hopefully make life better for OWASP project leaders when their projects are reviewed under the Assessment Criteria v2 (ACv2):
- Alter the ACv2 to make it explicit that both the short slide deck and the flyer/pamphlet are listed as OPTIONAL.
- Freeze the requirements of ACv2 for a period of time, say 2 years.
Note that the above will be discussed at the next GPC and if there are any changes, I’ll update this post. I don’t suspect there will be which is why I’m writing this now.
A bit more info on the two points:
- If we make any items options, the GPC will review our email templates to make sure the distinction between required and optional is very clear. To my mind, the purpose of the slide deck and pamphlet/flyer are to ease spreading the word about OWASP projects. While this is very much in line with the OWASP Mission (“make security visible”), its not fundamental to creating a valuable OWASP project. For those project leads that want to ‘go the extra mile’, its there but not mandated for all projects.
- About freezing changes to the ACv2:
- This benefits project leads as they know that what is asked of them won’t change as they’re working on their project. I think project leads will appreciate not having ACv2 change out from under them.
- ACv2 is new so there is still a chance for a ‘bug’ or two to be found while using it. The best way to meet the competing needs of project leads (fixed ACv2) and the GPC (ability to fix bugs in ACv2) is to provide a threshold before changes can occur. My proposed threshold is OWASP Board approval. Hopefully this will provide the balance necessary for both parties to be happy.
Why ACv2 asks for things at release time:
There was another item raised in the discussion: Why is the GPC linking some of the ACv2 things that aren’t really release related to assessing a release?
To be perfectly honest and candid, because that’s when the GPC has the attention of the project lead. There is great diversity in responsiveness amongst the project leads. Some will respond to emails very quickly, others are a digital black hole. Since this is all volunteer work, those items were added because I knew that if an project lead wanted their project assessed, that was the time to try and get those tangential items. For leads that are engaged and active with their projects, I’m sure this seems like a silly hassle. I wouldn’t disagree with that in specific cases but globally, it seemed like the best way for OWASP to try to raise project quality over all projects.
Purpose of the roadmaps:
Finally, two items that have been tripping up project leads are the roadmaps – both the project level and the release one. Since I wrote ACv2, let me tell you my purpose for those documents and what my expectations were for them. (Maybe I have another action item to add this to the OWASP wiki)
(A) Project Roadmaps – this is to provide the high level details of where you’d like to take the project. Basically, what are your thoughts on the final destination for the project – where should it end up. You may never get there (and that’s OK) but this helps to:
- Let users & reviewers get an idea of what you’re thinking at a high level
- If the project is orphaned, any new project lead can keep the project going that much easier.
(B) Release Roadmaps – this is to provide both reviewers and users an idea ‘what they are getting’ in the new release. It could double as (or be sourced from) the change log. Particularly for reviewers, this helps them focus their efforts on the new parts of the project. That should help project leads get eyeballs and feedback on their new code. Especially for large projects that have made previous releases, this is very useful. Think about the difference in effort between reviewing the Testing Guide as a whole vs looking at the 2 new chapters and 20 minor additions.
How big to either of these have to be? As big as the project lead feels they need to be to meet the purpose of them. Maybe 10 bullets, maybe 10 pages – its really the project leads choice. Also, project leads are in the best position to know how much effort this should take.
Hope this helps project leads and OWASPers in general understand ACv2 that much better.