Board to vote on the mantra requirement

I've stumbled upon the minutes from the board meeting of March 31, 2026
and found what looks like an ill-defined motion to:

  - Drop the "mantra" requirement to become an OSGeo User

  - Allow anyone with a passport from major corporations (Google, Meta, Apple, Microsoft) to automatically become an "OSGeo User"

The motion goal seems to be aimed at simplifyinng the onboarding experience,
but seems to be missing the point of the "mantra" as an intentional barrier
we setup to protect ourselves from spammers.

In this era of raising barriers against AI agents finding a contrary motion to
instead open up our shared house to strangers seems unexpected so I'm voicing
my concern about it.

On the technical side, I'd be very favorable in deploying Keycloack as
a Single Sign On solution, to allow services provided by OSGeo and by
others to accept the "OSGeo Passport" in addition to other passports
they may choose to support, but I think there's still a value in the effort
it takes to obtain such "OSGeo Passport" and that removing that barrier would
reduce such value.

I hope the board members will make an effort to understand the topic more deeply
in order to be able to take an informed decision, and I'm surprised SAC list was
not involved in the conversation.

--strk;

  Libre GIS consultant/developer :trumpet:
  strk's services

I've stumbled upon the minutes from the board meeting of March 31, 2026
and found what looks like an ill-defined motion to:

  - Drop the "mantra" requirement to become an OSGeo User

  - Allow anyone with a passport from major corporations (Google, Meta,
Apple, Microsoft) to automatically become an "OSGeo User"

I agree here. It's unclear from the motion, if we are just to trust anyone with a Google or Meta or whatever account with out proper vetting.

The motion goal seems to be aimed at simplifyinng the onboarding
experience, but seems to be missing the point of the "mantra" as an
intentional barrier we setup to protect ourselves from spammers.

In this era of raising barriers against AI agents finding a contrary motion to
instead open up our shared house to strangers seems unexpected so I'm
voicing my concern about it.

On the technical side, I'd be very favorable in deploying Keycloack as a Single
Sign On solution, to allow services provided by OSGeo and by others to accept
the "OSGeo Passport" in addition to other passports they may choose to
support, but I think there's still a value in the effort it takes to obtain such
"OSGeo Passport" and that removing that barrier would reduce such value.

If keycloak allowed that, that would be great. Don't know enough about it to know and how exactly it would tie in to some of our other services
Like weblate / discourse which already support multiple auths.

I think I'd still want to stick with LDAP at least for accessing our servers, because we use that to hold our ssh public keys to authenticate project members to access their servers.
I'm not sure if keycloak could do that, it sounds like it would still need LDAP as an authentication source and delegate to that.

The main pain points I see with LDAP brought up:

a) The MFA brought up in the motion - which I agree with that we need MFA for LDAP for the id.osgeo.org but I suspect that is not that hard to fix.

b) What LDAP is used for that it may not need to be:
1) Signing up for code sprints on WIKI -- it is kinda silly someone needs an OSGeo account to sign up for a code-sprint, that probably should just be moved to discourse (I need to check but I think there is an event's plugin we can use or mark a topic as a wiki and allow people to add their names) . Discourse already is pretty frictionless you can self-register, use github, or a https://id.discourse.com which lets you sign up with any of those commercial services already.

2) The large number of QGIS plugin authors needing an OSGeo account, which thankfully Richard Duivenvoorde has been handling now.
   For this case, I really would like Keycloak rolled out for this and see how it works before we put any great effort in changing our other infrastructure to support it.

I hope the board members will make an effort to understand the topic more
deeply in order to be able to take an informed decision, and I'm surprised SAC
list was not involved in the conversation.

--strk;

  Libre GIS consultant/developer :trumpet:
  strk's services

On Mon, Jun 15, 2026 at 12:40:20PM -0400, Regina Obe wrote:

The main pain points I see with LDAP brought up:

a) The MFA brought up in the motion - which I agree with that we need MFA for LDAP for the id.osgeo.org but I suspect that is not that hard to fix.

Note that some of our services already support multi-factor authentication locally,
for example Gitea: Making sure you're not a bot!

To activate MFA we need a _second_ factor, so by definition something in addition to what we already have, which means you don't need to ditch LDAP in order to get MFA.

b) What LDAP is used for that it may not need to be:

1) Signing up for code sprints on WIKI

I'm not familiar with the code sprints setup, I guess even an email would be ok to sign-up ?

2) The large number of QGIS plugin authors needing an OSGeo account

I think the QGIS Plugins Repository service could just accept whatever
passport is provided by the companies QGIS PSC decides to trust, there's
no need to change anything on the OSGeo infrastructure side for that, and
definitely we don't need a centralized Keycloack for that (as long as I know).

I see the "accept other passports" as something we want to enable or disable
on a per-service basis. Some services provide more protection against spam,
some are weaker, we want stronger identity for the weaker ones, I think.

--strk;

  Libre GIS consultant/developer :trumpet:
  strk's services

> The main pain points I see with LDAP brought up:
>
> a) The MFA brought up in the motion - which I agree with that we need MFA
for LDAP for the id.osgeo.org but I suspect that is not that hard to fix.

Note that some of our services already support multi-factor authentication
locally, for example Gitea: Making sure you're not a bot!

Yes so does our wordpress, which was brought up, but we don't have using it enforced.
We don't have enforced on gitea either.

We didn't do that to minimize friction but that would be the first thing.

I think though that id.osgeo.org should require MFA cause that's where people setup their passwords, emails, and put their public keys.
That has always bothered me it does not require MFA.

To activate MFA we need a _second_ factor, so by definition something in
addition to what we already have, which means you don't need to ditch LDAP
in order to get MFA.

> b) What LDAP is used for that it may not need to be:
>
> 1) Signing up for code sprints on WIKI

I'm not familiar with the code sprints setup, I guess even an email would be ok
to sign-up ?

I know that a lot of OSGeo events create a page on the wiki and have people signup there.
I was thinking possibly https://talks.osgeo.org could be used for this but not sure cause that would be the most logical place to put it since the calendar of who's speaking is in there already and all the international and many of the local FOSS4Gs are already using it to accept speakers.

> 2) The large number of QGIS plugin authors needing an OSGeo account

I think the QGIS Plugins Repository service could just accept whatever
passport is provided by the companies QGIS PSC decides to trust, there's no
need to change anything on the OSGeo infrastructure side for that, and
definitely we don't need a centralized Keycloack for that (as long as I know).

I see the "accept other passports" as something we want to enable or disable
on a per-service basis. Some services provide more protection against spam,
some are weaker, we want stronger identity for the weaker ones, I think.

--strk;

  Libre GIS consultant/developer :trumpet:
  strk's services

Sandro Santilli via Sac <sac@lists.osgeo.org> writes:

I've stumbled upon the minutes from the board meeting of March 31, 2026
and found what looks like an ill-defined motion to:

  - Drop the "mantra" requirement to become an OSGeo User

  - Allow anyone with a passport from major corporations (Google, Meta, Apple, Microsoft) to automatically become an "OSGeo User"

Speaking as someone on the periphery who has never been clear on this,
because I've had an osgeo id for a really long time:

  I have been seeing "mantra" and found it odd phrasing. It was seemed
  obvious that somehow people needed permission for account creation, to
  stop spa, and that makes sense, but I would have expected that people
  could create an account and then someone -- perhaps a large class of
  people -- could approve the person as not a spammer to make it really
  active, vs getting timed out, and we'd do that if someone had been
  interacting reasonably or something. Deciding to turn that off seems
  surprising.

  I find the word "passport" to be very strange, and I wonder if I'm
  just not up on terminology. I would think this is an account that can
  be used as an identity provider, and if that's what people mean would
  be good to actually say that.

  I find the idea of accepting an account with a "major corporation"
  (when people can't just sign up) as deeply offensive and contrary to
  what osgeo should be doing. That normalizes big tech's bad practices,
  including invasive identity requirements. I am frequently spammed by
  google, via people that have created google accounts and gmail, and by
  people that have further created custom domains. The idea that a
  google account proves that you aren't a spammer is ludicrous.

  I would go so far as to say that accounts from an IdP should only be
  accepted for signup if they meet ethical standards, such as not
  requiring the person to provide a phone number. If osgeo does not
  have a True Name policy, then add that too. I'm less concerned about
  letting a person who can log in link another IdP.

On the technical side, I'd be very favorable in deploying Keycloack as
a Single Sign On solution, to allow services provided by OSGeo and by
others to accept the "OSGeo Passport" in addition to other passports
they may choose to support, but I think there's still a value in the effort
it takes to obtain such "OSGeo Passport" and that removing that barrier would
reduce such value.

Modulo using the word 'passport', that makes a lot of sense to me.

Perhaps we should be separating authentication and the authorization
function for account creation. The big issue is requiring authorization
for osgeo account creation.

"Regina Obe" <lr@pcorp.us> writes:

On the technical side, I'd be very favorable in deploying Keycloack as a Single
Sign On solution, to allow services provided by OSGeo and by others to accept
the "OSGeo Passport" in addition to other passports they may choose to
support, but I think there's still a value in the effort it takes to obtain such
"OSGeo Passport" and that removing that barrier would reduce such value.

If keycloak allowed that, that would be great. Don't know enough
about it to know and how exactly it would tie in to some of our other
services Like weblate / discourse which already support multiple
auths.

I think I'd still want to stick with LDAP at least for accessing our
servers, because we use that to hold our ssh public keys to
authenticate project members to access their servers. I'm not sure if
keycloak could do that, it sounds like it would still need LDAP as an
authentication source and delegate to that.

It may be interesting to look at openstreetmap's experience. There is
now, I think, OAUTH2, and various things can invoke that to get
credentials to act as the user against the main site. That may be
different from federated identity "login with foo".

I think the LDAP/ssh issue is that beyond the web authentication flow
(which can be turned into MFA by requiring that at login time), there is
authentication *not via web protocols* and in particular ssh pubkeys.
So an osgeo user has

  web authentication
  a set of ssh keys

whether the ssh keys are in in LDAP or some other mechanism matters for
maintainability but I don't see it as fundamental. (I also don't see a
reason to change.).

I think it's entirely reasonable, as a long term plan, to have all
services that do web auth to use some kind of oauth2 and not accept
passwords, and thus not have to have passwords in LDAP.

The main pain points I see with LDAP brought up:

a) The MFA brought up in the motion - which I agree with that we need MFA for LDAP for the id.osgeo.org but I suspect that is not that hard to fix.

I don't follow "MFA for LDAP". The issue is not so much access to LDAP
but MFA for people wanting access while being validated by credentials
stored in LDAP. Maybe you meant that.

2) The large number of QGIS plugin authors needing an OSGeo account, which thankfully Richard Duivenvoorde has been handling now.
   For this case, I really would like Keycloak rolled out for this and see how it works before we put any great effort in changing our other infrastructure to support it.
Get rid of OSGEO LDAP signup · Issue #274 · qgis/QGIS-Plugins-Website · GitHub

That sounds like they are deciding that they are willing to take any
account with no anti-spam signup.
And, to discriminate in favor of those with big tech relationships.

> I've stumbled upon the minutes from the board meeting of March 31,
> 2026 and found what looks like an ill-defined motion to:
>
> - Drop the "mantra" requirement to become an OSGeo User
>
> - Allow anyone with a passport from major corporations (Google, Meta,
Apple, Microsoft) to automatically become an "OSGeo User"

Speaking as someone on the periphery who has never been clear on this,
because I've had an osgeo id for a really long time:

  I have been seeing "mantra" and found it odd phrasing. It was seemed
  obvious that somehow people needed permission for account creation, to
  stop spa, and that makes sense, but I would have expected that people
  could create an account and then someone -- perhaps a large class of
  people -- could approve the person as not a spammer to make it really
  active, vs getting timed out, and we'd do that if someone had been
  interacting reasonably or something. Deciding to turn that off seems
  surprising.

Yah we had that with wiki, but what happened is the list of people queued up
waiting to be approved and no one had time to approve them.
I think the main issue is regardless whether you allow people to register
and vet them later or vet them before they register.
You still have the same problem:

Someone has to vet them, and everyone seems to be trying to get around
having no one vet them to save people time.
So the burden always falls on just a few people who get exhausted and leave.

Like for example on discourse we do allow everyone to register, use github,
use ldap whatever, but the very first post they do we require vetting.
That is because we got spammed a lot when we didn't require vetting.

Even there where there are quite a few people that can vet, the burden ends
up falling on just a few people because no one has time to vet anyone.

Now if we did have keycloak, in theory we could allow OpenStreetMap (IdP) as
a trusted provider and if they've already vetted someone, chances are we can
trust that person and not bother revetting for most services we provide.
Same for PostgreSQL and other open source orgs that already have a single
sign on system.

I do prefer the vet first (to make sure you are a good actor or autovetting
if we really trust the IdP) before allowing your identity to exist in our
system, cause otherwise your system is just filled with spam accounts.
Some services require more vetting than others, but a basic account should
allow you to do something.

Perhaps we should be separating authentication and the authorization
function for account creation. The big issue is requiring authorization

for

osgeo account creation.

The big issue is having an account you can do something with. I agree that
yes the authorization is a separate issue.
To Sandro's and your point, it really matters the level of vetting you need
what we allow a non-authorized account to do.

I feel it should increase with longevity and past performance. Discourse
has kind of this idea, where it increases your user permissions as you
interact more with the system e.g asking questions, providing solutions etc.

I think the LDAP/ssh issue is that beyond the web authentication flow

(which

can be turned into MFA by requiring that at login time), there is

authentication

*not via web protocols* and in particular ssh pubkeys.
So an osgeo user has

  web authentication
  a set of ssh keys

whether the ssh keys are in in LDAP or some other mechanism matters for
maintainability but I don't see it as fundamental. (I also don't see a

reason to

change.).

I think it's entirely reasonable, as a long term plan, to have all

services that do

web auth to use some kind of oauth2 and not accept passwords, and thus not
have to have passwords in LDAP.

Agree. Yes it wasn't so much the MFA of LDAP as much as just protecting our
id.osgeo.org website where they edit their profile and register their ssh
keys.
You can't do anything with an ssh key if you are not in the shell group
anyway. So it's mostly a concern with shell users having their accounts
compromised.

That makes sense why it's hard, but the idea that "user has an account
with $somebody is evidence that they are not a bad actor" fundamentally
does not make sense, unless the other entity has signup/vetting rules
that are at least as strict.

AFAIK you can just sign up with OSM. If you misbehave your edits are
reverted and you get blocked. But as with osgeo I've had an account for
a long time and have no recent experience. I'm pretty sure that
accepting osm members as vetted will just lead spammers to register
there, then register at osgeo, which even seems scriptable :wink:

the idea that "user has an account with $somebody is evidence that they are not a bad actor" fundamentally does not make sense

And yet this was exactly criterion based on which I've sent the mantra to hundreds of people: a GitHub account showing their email address.

Over the past couple of years, I've probably sent thousands of responses to mantra-request. I'm pretty certain I have not stopped a single spammer. I did stop a bunch of people with no public online identity. It's not a contribution I'm proud of.

passport

That term reminds me of Microsoft Passport, which wasn't that great, was it? People aren't logging in with Gmail because it's their passport, but rather because it's convenient to remember one less password. It's not a statement, it's just convenience.

arguments for keeping the mantra

First, I'd like to point out that the staunchest supporters of the mantra are not responding to ~300 requests each month. I did that for a long time. I finally cracked when, after asking a 500th user to upload the source code of a QGIS plugin (instead of a ZIP), I got instead a Python file called "source code" added to the repo.

Thanks to Richard for picking this up.

I think the QGIS Plugins Repository service could just accept whatever passport is provided by the companies QGIS PSC decides to trust

It already accepts GItHub, GitLab and Gmail.

older arguments about requiring a domain to get an account

I'd hate this. Not everyone has or needs a domain. I've never seen such a high bar to enter a community, especially one that calls itself "Open".

older arguments not wanting to get more issues filed

This is just as bad as stalebot.

older arguments about the sense of a community

Sure, a community would be nice, but how many of the thousands who registered to publish their plugins or to report a PostGIS issue are really part of the community? They uploaded their plugin or filed their issue, and none of us saw them again.

So yeah, I don't think I would miss the mantra too much if it went away.

Laurentiu

PS: I think the mantra is fine, but its scope is too large. It's fine if we make people jump through hoops to get a page on our WordPress. But for QGIS I think we should just tell them to use the other SSOs.

Laurentiu

Your points about the mantra process being a lot of work and not
achieving its security goals are compelling. I am an outsider, but this
leaves me not seeing the point of keeping doing that.

passport

That term reminds me of Microsoft Passport, which wasn't that great,
was it? People aren't logging in with Gmail because it's their
passport, but rather because it's convenient to remember one less
password. It's not a statement, it's just convenience.

The situation makes me really uncomfortable with using the word. It's
just an ID provider, and nothing more. I suggest osgeo adopt a policy
of not using the term passport.

I also think using words so that normies will think they will
udnerstand, when they don't, is harmful.

I think the QGIS Plugins Repository service could just accept whatever passport is provided by the companies QGIS PSC decides to trust

It already accepts GItHub, GitLab and Gmail.

Again that seems wrong to preference big tech.

It seems like osgeo is attempting to be an ID provider with osgeo
accounts, and that qgis repo should just use those (which people, having
created an account, can perhaps associate some ID provider with, in an
open standards even handed way that doesn't preference specific
proprietary monopolies). I perceive that qgis plugins is not doing this
because getting an osgeo id is too hard.

It also seems like it would be good to separate authorization for
specific actions from the identity part of an account. presumably for a
plugin, there is some review of the plugin, that it is ok enough
technically and not malicious, and that would result in setting an
ok-to-publish-this-plugin bit on that person's account.

Sounds like apple pie, but feels like we are multiple steps sideways
based on historical baggage. My $0.02 lookign from mostly outside.

In article <ajAk7xoyWq8ZpdGO@c19.localdomain> you wrote:

In this era of raising barriers against AI agents finding a contrary motion to
instead open up our shared house to strangers seems unexpected so I'm voicing
my concern about it.

I'd like to note that at the times when I mostly dropped out of OSGeo
infrastructure maintenance, which I did years before the AI era, we already
had approx. 15.000 registered LDAP accounts, of which just a few hundred at
maximum were backed by real OSGeo users.

Nowadays I'd expect the user database to fill up even quicker with crap
unrelated to OSGeo if barriers against AI agents get removed.

Kind regads,

  Martin
--
Unix _IS_ user friendly - it's just selective about who its friends are !
--------------------------------------------------------------------------

On Mon, Jun 15, 2026 at 12:40:20PM -0400, Regina Obe wrote:

On Mon, Jun 15, 2026 at 06:14:39PM +0200, Sandro Santilli wrote:
>
> Single Sign On solution, to allow services provided by OSGeo and by
> others to accept the "OSGeo Passport" in addition to other passports

If keycloak allowed that, that would be great.

I think it does. I'm sure SimpleID for OpenID-2.0 does support LDAP too, and a ticket
to deploy THAT as a Single Sign On was filed 10 years ago:

  Making sure you're not a bot!

--strk;

  Libre GIS consultant/developer :trumpet:
  strk's services

On Mon, Jun 15, 2026 at 01:27:27PM -0400, Regina Obe wrote:

I think though that id.osgeo.org should require MFA cause that's where
people setup their passwords, emails, and put their public keys.
That has always bothered me it does not require MFA.

You mean id.osgeo.org/ldap/create, right ?
Did you file a ticket about it ? Feel free to assign to me if you do.

--strk;

  Libre GIS consultant/developer :trumpet:
  strk's services

> I think though that id.osgeo.org should require MFA cause that's where
> people setup their passwords, emails, and put their public keys.
> That has always bothered me it does not require MFA.

You mean id.osgeo.org/ldap/create, right ?
Did you file a ticket about it ? Feel free to assign to me if you do.

--strk;

  Libre GIS consultant/developer :trumpet:
  strk's services

Done Making sure you're not a bot!