Board to vote on the mantra requirement

Regina Obe lr at pcorp.us
Mon Jun 15 10:52:19 PDT 2026 

> > I've stumbled upon the minutes from the board meeting of March 31,
> > 2026 and found what looks like an ill-defined motion to:
> >
> >   - Drop the "mantra" requirement to become an OSGeo User
> >
> >   - Allow anyone with a passport from major corporations (Google, Meta,
> Apple, Microsoft) to automatically become an "OSGeo User"
> 
> Speaking as someone on the periphery who has never been clear on this,
> because I've had an osgeo id for a really long time:
> 
>   I have been seeing "mantra" and found it odd phrasing.  It was seemed
>   obvious that somehow people needed permission for account creation, to
>   stop spa, and that makes sense, but I would have expected that people
>   could create an account and then someone -- perhaps a large class of
>   people -- could approve the person as not a spammer to make it really
>   active, vs getting timed out, and we'd do that if someone had been
>   interacting reasonably or something.  Deciding to turn that off seems
>   surprising.
> 
Yah we had that with wiki, but what happened is the list of people queued up
waiting to be approved and no one had time to approve them.
I think the main issue is regardless whether you allow people to register
and vet them later or vet them before they register.
You still have the same problem:

Someone has to vet them, and everyone seems to be trying to get around
having no one vet them to save people time.
So the burden always falls on just a few people who get exhausted and leave.

Like for example on discourse we do allow everyone to register, use github,
use ldap whatever, but the very first post they do we require vetting.
That is because we got spammed a lot when we didn't require vetting.

Even there where there are quite a few people that can vet, the burden ends
up falling on just a few people because no one has time to vet anyone.

Now if we did have keycloak, in theory we could allow OpenStreetMap (IdP) as
a trusted provider and if they've already vetted someone, chances are we can
trust that person and not bother revetting for most services we provide.
Same for PostgreSQL and other open source orgs that already have a single
sign on system.

I do prefer the vet first (to make sure you are a good actor or autovetting
if we really trust the IdP) before allowing your identity to exist in our
system, cause otherwise your system is just filled with spam accounts.
Some services require more vetting than others, but a basic account should
allow you to do something.

> 
> 
> Perhaps we should be separating authentication and the authorization
> function for account creation.  The big issue is requiring authorization
for
> osgeo account creation.

The big issue is having an account you can do something with.  I agree that
yes the authorization is a separate issue.
To Sandro's and your point, it really matters the level of vetting you need
what we allow a non-authorized account to do.

I feel it should increase with longevity and past performance.  Discourse
has kind of this idea, where it increases your user permissions as you
interact more with the system e.g asking questions, providing solutions etc.

More information about the Sac mailing list