I was recently asked about the situation around two OWASP projects that are nearly duplicates. Wanting to make this discussion very public, I’m carrying over my answer to the GPC’s new blog.
Background: Someone asked what had become of OWASP CAL9000. I responded that CAL9000, while still useful, was pretty much dormant and orphaned by the project lead. I also suggest that they should look at EnDE which is an amazing bit of JavaScript encoding/decoding goodness that came out of the OWAP SoC 2008.
Below is the questions and repsones my reply inspired:
> Matt
>
> You are part of the Global Project Committee does Criteria 2.0 Draft
> will touch the issue of duplicated projects/efforts? And what could
> be considered a duplicated effort?
In all honesty, it doesn’t. But that is on purpose.
Here’s why: Now that there is a Global Project Committee (GPC), proposed projects are reviewed by the committee which should be able to catch duplicated efforts. Paulo does a great job of running project proposals by the GPC before he doe the initial project setup. If there is a project that has created a release and is ready to be reviewed under Criteria v2, its far too late.
In the specific case of Cal9000 & EnDe, there were a couple of factors which are hopefully fixed under the new Global Committee structure – especially the GPC:
– No peer review of proposed new projects to catch duplicates
– No good or known process to orphan projects and find new leaders for them
Call this a lesson learned which will (hopefully) be avoided in future.
>
> I understand 2 project might do the same thing for different
> technologies, but if they are in the same technology and one covers
> the other or they both do the same thing shouldn’t we deprecate one
> in favor of the other or simply merge them?
Absolutely. Unfortunately there really isn’t a process to deprecate projects currently. That is something that is actively being worked on by the GPC. See the top item on our committee’s agenda for the year:
https://www.owasp.org/index.php/Global_Projects_Committee
In future, the GPC hopes to have a mechanism to determine which projects are either orphaned or dormant. For those project that are still relevant, we can announce their availability for new project leads to take over. For those that are no longer relevant, they will be archived. For example, consider these two fictitious OWASP projects which are orphaned/dormant:
OWASP PHP 3.3 coding guide: This is a project which probably isn’t very relevant since PHP is currently up to 5.x. The project page should be marked “Archived”, “Deprecated” or something similar and it moved to a archived/historical projects part of the OWASP Wiki.
Ruby on Rails Hardening Guide: Ruby on Rails is still very popular and in use widely. This project would be listed as orphaned and the GPC would try to find a new project lead to take over this project.
>
> IMO merging project will boost both projects (previous) into a new
> and better solution for the community, but I don’t know if people
> will like to give up the lead of their own “baby” (there project you
> have spent a lot of effort)
I’m not sure that would work for CAL9000 and EnDe considering when this issue came to light – for me about a month ago in Poland.
However, for projects in general, you’d be surprised. Of the project leads that no longer wanted to maintain their projects, I can’t think of one that wasn’t happy to help a new project lead take over and move forward. The GPC’s challenge is to make that process as open and easy as possible.
Read Full Post »