Overview

Since very early in OWASP's history, Mailman has been used to facilitate communication between various members of the community. While Mailman has served the community well for years, the decision has been made to migrate from a self-hosted Mailman installation to Google Groups. The migration will allow the community to continue to have an email address to reach a particular segments of the community just like Mailman provides but without the administrative burden of running a server for Mailman. The reasons for this migration were stated at length on the leaders list here but are summarized below in no particular order:

• Mailman is old software and doesn't follow current security best practices.
  • It sends passwords in the clear which has been repeatedly pointed out by the community for quite some time as noted here.
  • It has a single shared password for overall site administration for the staff to use to oversee the installation
  • If a mail list has 2+ list owners, they must share a password for managing the list
• Mailman has an extremely dated UI/web interface. This makes OWASP appear out of date/out of touch to new, potential community members
• Since the Foundation has a very small staff, administering a server takes away staff time from focusing on OWASP's mission / core purpose.
• The Anti-SPAM gateway service from Barracuda, which was previously donated, is ending on March 24th, 2019.
• Due to the current climate of increased privacy and the existence of the GDPR, the migration will allow the membership in our lists to be reviewed/audited by the current user base (aka opt-in).

In 2017, the current community manager (Tiffany Long) suggested a migration from Mailman to Discourse. This was the original direction of efforts until it was reconsidered at the 2019 Staff Summit, a face to face meeting to plan out 2019. Instead, Mailman will be migrated to Google Groups. The following reasons were crucial in the choice of Google Groups

• Functionally equivalent to Mailman as a 'mail list'
• Already part of the G-Suite donation from Google
• Can be run for $0 cost and with 0 administration of the underlying infrastructure
• Includes Anti-SPAM filtering that is already part of our G-Suite email infrastructure
• Inbound and outbound email handled by Google email infrastructure - no need to run a MTA (mail server)
• Mobile-friendly, modern UI and significantly better TLS configuration for web interactions
• Has robust admin and permissions available via G-Suite Admin tool

Project Links

• Mailman legacy install
• Mailman stats - created via monthly cron job / run manually
• Google Sheet of mail lists and their most recent post (publicly available)
• Google Sheet of mail lists, most recent post and owner(s) of the list (only available to Foundation Staff since it contains email addresses of list owners)
• Google Groups Help pages

Goals

Overall Goal: Migration of any active list from lists.owasp.org to Google Groups.

Details:

• Active is defined as a list which as received at least 1 non-SPAM email in the last 12 months as of 2019-01-29 when initial activity reporting was run
• Mail lists for inactive projects and chapters will not be migrated
• Archives on lists.owasp.org will be migrated to a static host

Milestones

• Review the inventory of lists to determine which are inactive - DONE
• Use the data above to retire any inactive list - DONE
• Review remaining list for any that can be retired due to ownership (e.g. owned by staff and unused) or mail in the last calendar year is SPAM
• Review remaining lists and remove any projects or chapters which are inactive. A new Google Group can be created for chapters that become active again
• Send out initial communication to all lists which will be migrated,

Communications

The following lists communications where the retirement of Mailman was discussed publicly

• Posts to Leaders lists (prior to creation of staff projects template)
  • https://lists.owasp.org/pipermail/owasp-leaders/2019-January/019608.html
  • https://lists.owasp.org/pipermail/owasp-leaders/2019-January/019613.html
  • https://lists.owasp.org/pipermail/owasp-leaders/2019-February/019663.html
  • https://lists.owasp.org/pipermail/owasp-leaders/2019-February/019675.html
  • https://lists.owasp.org/pipermail/owasp-leaders/2019-February/019700.html
• Posts to the Blog and Connector
  • https://owasp.blogspot.com/2018/12/december-2018-connector.html & December Connector
  • https://owasp.blogspot.com/2019/02/owasp-community-our-instance-of-mailman.html
  • https://owasp.blogspot.com/2019/02/owasp-community-and-chapter-reminders.html
  • February Connector
• Leaders Meetings
  • AppSec EU 2018 (London) Leaders Meeting - recording
  • AppSec US 2018 (San Jose) Leaders Meeting - recordings - part 1 & part 2
• Board Meetings
  • October 2016 - Migration from Mailman raised by Tiffany in her Community Manager Report

Leadership

• unordered list of each leader and a hyperlink to their email address.