Board to vote on the mantra requirement

Regina Obe lr at pcorp.us
Mon Jun 15 09:40:20 PDT 2026 

> I've stumbled upon the minutes from the board meeting of March 31, 2026
> and found what looks like an ill-defined motion to:
> 
>   - Drop the "mantra" requirement to become an OSGeo User
> 
>   - Allow anyone with a passport from major corporations (Google, Meta,
> Apple, Microsoft) to automatically become an "OSGeo User"
> 
I agree here.  It's unclear from the motion, if we are just to trust anyone with a Google or Meta or whatever account with out proper vetting.



> The motion goal seems to be aimed at simplifyinng the onboarding
> experience, but seems to be missing the point of the "mantra" as an
> intentional barrier we setup to protect ourselves from spammers.
> 
> In this era of raising barriers against AI agents finding a contrary motion to
> instead open up our shared house to strangers seems unexpected so I'm
> voicing my concern about it.
> 
> 
> On the technical side, I'd be very favorable in deploying Keycloack as a Single
> Sign On solution, to allow services provided by OSGeo and by others to accept
> the "OSGeo Passport" in addition to other passports they may choose to
> support, but I think there's still a value in the effort it takes to obtain such
> "OSGeo Passport" and that removing that barrier would reduce such value.
> 
If keycloak allowed that, that would be great.  Don't know enough about it to know and how exactly it would tie in to some of our other services 
Like weblate / discourse which already support multiple auths.

I think I'd still want to stick with LDAP at least for accessing our servers, because we use that to hold our ssh public keys to authenticate project members to access their servers.
I'm not sure if keycloak could do that, it sounds like it would still need LDAP as an authentication source and delegate to that.


The main pain points I see with LDAP brought up:

a) The MFA brought up in the motion - which I agree with that we need MFA for LDAP for the id.osgeo.org but I suspect that is not that hard to fix.

b) What LDAP is used for that it may not need to be:
1) Signing up for code sprints on WIKI -- it is kinda silly someone needs an OSGeo account to sign up for a code-sprint, that probably should just be moved to discourse (I need to check but I think there is an event's plugin we can use or mark a topic as a wiki and allow people to add their names) .  Discourse already is pretty frictionless you can self-register, use github, or a https://id.discourse.com  which lets you sign up with any of those commercial services already.

2) The large number of QGIS plugin authors needing an OSGeo account, which thankfully Richard Duivenvoorde has been handling now.
   For this case, I really would like Keycloak rolled out for this and see how it works before we put any great effort in changing our other infrastructure to support it.
https://github.com/qgis/QGIS-Plugins-Website/issues/274



> I hope the board members will make an effort to understand the topic more
> deeply in order to be able to take an informed decision, and I'm surprised SAC
> list was not involved in the conversation.
> 
> --strk;
> 
>   Libre GIS consultant/developer 🎺
>   https://strk.kbt.io/services.html

More information about the Sac mailing list