PSC Vote: Let's move this list to discourse

[Regina Obe]

Sorry for this very long email.  I am happy to see we are discussing all of
this even though I'm a little disappointed this group is not interested in
migrating this list.

> Here's a trip report from me trying to log into discourse for the first
> time:
> 
>   sign up button:
> 
>     1) has github explicitly, which I don't think is ok
> 
>     2) has "LDAP", but ldap is a protocol not an auth provider.  I am
>     guessing that this is the central auth for osgeo accounts which is
>     what osgeo gitea uses.  Seems to involve sending password to
>     discourse, which is a PoLP violation.
> 

I'm thinking we can get rid of LDAP, as it would be redundant with OSGeo
Gitea

And just rename the OSGeo Gitea one just - OSGeo.

But that said, I guess we have the same PoLP issue with our other services
like 
Gitea, wiki.osgeo.org, nextcloud.osgeo.org, weblate.osgeo.org,
video.osgeo.org

So that is a much larger topic than just discourse.

>     3) osgeo gitea seems to work but after username/password (from
password
>     manager from osgeo account), I get
> 
>         Authorize "OSGeo Discourse" to access your account?
> 
>         If you grant the access, it will be able to access and write to
>         all your account information, including private repos and
>         organisations.  This application was created by @sac.
> 
>         You will be redirected to
>         https://discourse.osgeo.org/auth/oidc/callback if you authorize
>         this application.
> 
>    and there is no reason for discourse to write to gitea.   So this
>    should be some more limited permissions.
> 
Hmm I don't get that message, but maybe cause I already approved.
What does concern me though, is after I disconnect OSGeo Gitea, I would
expect it to prompt for 
the same approval but it does not.  If I choose to log in via OSGeo Gitea
again after removing the connection
, it just lets me in and my discourse profile shows the "connected" with
OSGeo gitea again.

Not sure if that is a bug or not or maybe I have to go into gitea somewhere
and remove the approval, but not seeing that anywhere under my gitea
settings.


>    4) github asks
> 
>     OSGeo Discourse by Open Source Geospatial Foundation
>     wants to access your gdt account
>     Personal user data
>     Email addresses (read-only)
> 
>    which is ok, except github

My main annoyance here is that Github is above OSGeo, I'd like to move it
below, but haven't found where that is or if it is not currently possible.

But I think having github there is a necessary evil for now.  Until the ease
with which we can allow people to create OSGeo accounts is lifted and we can
lock down what OSGeo accounts do on a more granular level -- e.g OSGeo
accounts have only one big level (accounts with shell access) and all other
accounts. Sure we have groups we can manage, but that is just another
maintenance nightmare to lock things down based on groups for each app. Also
I don't think our groups are setup right in LDAP.  Something I want to
change once I upgrade LDAP this year.

Next is the local registration piece, do we keep that or not. I'm torn on
that decision as I can think of good reasons for both.

 If people don't have an OSGeo account or github accounts or for whatever
reason don't want to use those accounts for discourse correspondence, that
is a disservice to them not to have that feature.  I for example use it for
a local admin account (similar to what I have with www.osgeo.org) so if LDAP
is broken (e.g. misconfiguration on my part, LDAP broken) I can still log in
and fix things.

My main reason for wanting to remove the registration and local login option
is it's confusing, as Markus Neteler had mentioned when I sent him an
invite.
I've been struggling to change that invite message, but can't find where it
is, and there seems to be no way I have found, to relegate that login screen
unless you disable it altogether.

There is also some concern as Martin had brought up about being in the same
mess as we were with wiki and osgeo.org sites that both started off with
their own auth and merging accounts proved to be a nightmare.

I'm much less concerned with that with discourse because , its strategy
seems to be different.  Ultimately it seems to go by email addresses and
allows for infinite aliases for email addresses.
So you could in theory login with your LDAP, your Gitea, or your Github
account all to the same account as long as it confirms the email addresses
match one of the email addresses registered to that account.

So for example my LDAP has a different email from my Gitea, but both map to
my same account because my gitea email is an alias in discourse.

But that said if people have OSGeo accounts, we would want to encourage them
to use them.

I also see discourse as a first pass into OSGeo.  You might want to stay for
a cup of coffee and never come back.  I don't want our LDAP cluttered with
all these casual passers by at least until we have our expiration system in
place.

Maybe we'd have a category like "Getting more involved with OSGeo"  where
people can ask questions about OSGeo membership and involvement and talk
about areas where they might want to get involved before they make the step
to asking for an OSGeo account.

Thanks,
Regina