Board to vote on the mantra requirement

[Greg Troxel]

Sandro Santilli via Sac <sac at lists.osgeo.org> writes:

> I've stumbled upon the minutes from the board meeting of March 31, 2026
> and found what looks like an ill-defined motion to:
>
>   - Drop the "mantra" requirement to become an OSGeo User
>
>   - Allow anyone with a passport from major corporations (Google, Meta, Apple, Microsoft) to automatically become an "OSGeo User"

Speaking as someone on the periphery who has never been clear on this,
because I've had an osgeo id for a really long time:

  I have been seeing "mantra" and found it odd phrasing.  It was seemed
  obvious that somehow people needed permission for account creation, to
  stop spa, and that makes sense, but I would have expected that people
  could create an account and then someone -- perhaps a large class of
  people -- could approve the person as not a spammer to make it really
  active, vs getting timed out, and we'd do that if someone had been
  interacting reasonably or something.  Deciding to turn that off seems
  surprising.

  I find the word "passport" to be very strange, and I wonder if I'm
  just not up on terminology.  I would think this is an account that can
  be used as an identity provider, and if that's what people mean would
  be good to actually say that.

  I find the idea of accepting an account with a "major corporation"
  (when people can't just sign up) as deeply offensive and contrary to
  what osgeo should be doing.  That normalizes big tech's bad practices,
  including invasive identity requirements.  I am frequently spammed by
  google, via people that have created google accounts and gmail, and by
  people that have further created custom domains.  The idea that a
  google account proves that you aren't a spammer is ludicrous.

  I would go so far as to say that accounts from an IdP should only be
  accepted for signup if they meet ethical standards, such as not
  requiring the person to provide a phone number.  If osgeo does not
  have a True Name policy, then add that too.   I'm less concerned about
  letting a person who can log in link another IdP.

> On the technical side, I'd be very favorable in deploying Keycloack as
> a Single Sign On solution, to allow services provided by OSGeo and by
> others to accept the "OSGeo Passport" in addition to other passports
> they may choose to support, but I think there's still a value in the effort
> it takes to obtain such "OSGeo Passport" and that removing that barrier would
> reduce such value.

Modulo using the word 'passport', that makes a lot of sense to me.



Perhaps we should be separating authentication and the authorization
function for account creation.  The big issue is requiring authorization
for osgeo account creation.