I wanted to create this discussion page for general questions and discussions of this corresponding wiki page.
- I don't even think this conversation can be started without a clear definition of terms, goals, benefits, and criteria of the different project types.
- Beyond that, I think that it is naive to think that projects like Top 10 or Dev Guide, etc. that are documentation projects which are only published every few years can be / should be treated similar to projects that are some software product. Perhaps the content of this wik page may only be referring to the later, but it is so nebulous in its wording that I can't be sure.
- I found the way these options were presented somewhat confusing. The differences between the options, and especially options #1 and #2 (i.e., columns 1 and 2) is in my opinion, rather nuanced because there seemed to be more similarities than differences.
- I feel that is wrong to try to shoehorn all the different project types into a single categorization. At the very least, I don't see how you can compare a documentation project that only is intended to have some tangible output every N years (e.g., the OWASP Top Ten, the OWASP Development Guide, etc.) with software projects where people are expecting regular updates. At best, that's an apples to oranges comparison. I'm not even sure we can measure it by "activity" because most of the documentation projects that only produce output every N years naturally are going to have a major lull in activity during the off years.
- I believe that the some consideration at least should be placed trying to understand the reasons that a project seems to be failing. As George Santayana said "Those who cannot remember the past are condemned to repeat it", so if nothing else, we should be collecting "lessons learned" with failed / sunset projects to understand the reasons for their demise.
- I too have a major concern that if put to community vote, this will become a popularity contest. In fact, in each of the options I see that both WebScarab and ESAPI were listed as "sunset" status, yet if all projects were given a place on the ballot for an OWASP community vote, I would not be surprised if ESAPI ended up getting sufficient votes to remain a flagship project. Should that happen, one has to ask "What then?" People will likely vote for the projects that they know the most about and ESAPI is definitely one of the most visible and widely used of all OWASP projects.
- I believe the terms "flagship", "lab", and "incubator" each carry too much political baggage to be useful. I would propose instead that we talk about having "Tier 1", "Tier 2", and "Tier 3" projects, as "Tier n" is much more neutral terminology.
- If we do wish to keep the same "flagship", "lab", and "incubator" terms, is there any reason why we cannot just steal / reuse the Apache Foundations project structure and their criteria for what it takes to obtain and maintain such a label?
- One last comment, and I apologize in advance for this sounding more negative than constructive... I am disappointed that this is all that the staff and/or board came up with as the initial cut, especially considering that there have been email threads kicking these ideas around not for several months. My expectations we elected the board in part to make the difficult decisions that the community itself seemed to be unable to make, yet to me the majority of these options seem to end up with "punting the decisions back to the community" by calling for a community vote as to which projects are deserving of flagship status, which should be lab projects, etc. I think it is fine to as the community to vote on the general approach. I do not think it is okay to have them choose the projects. Case in point, I'm sure that there are a number of great OWASP projects that I've heard of. As an example, because I am more of a builder / defender than a breaker, I am not familiar as I'd like to be with many of the breaker projects. And to be honest, if it came to a vote, I am not going to spend more than 5 or 10 minutes familiarizing myself with any new projects--even if there were some project "short list". I am sure I am not the only one who operates that way, so in the end it will come down to familiarity rather than what is really best for OWASP in the long term.
- I will try to leave my other comments on the main wiki page.