[Osmf-talk] Possible vote on membership prerequisites

Sat Oct 24 21:04:39 UTC 2020

On 23.10.20 21:44, Mikel Maron wrote:
> Whatever number of days you choose, and whatever rationale is invented
> to arrive at that number, a malicious actor could achieve them.

Coordinating and instructing hundreds of people to make the necessary
contributions to become individually eligible for membership is feasible
for a determined attacker. But it's not trivial – at the very least it
requires extra lead time, and it makes the plan easier to spot because
of the requisite public activity. (Compare this with application forms
and fee payments – they are private, so there is a very low number of
people who even have a chance to notice anything fishy going on.)
Needing to stay under our radar during these preparations gives the
malicious actor extra opportunities to mess up, especially in the case
of an outside organization that lacks experience with how OSM works and
may therefore act somewhat clumsily.

In contrast, the added prerequisites would mean very little extra effort
for most applicants from within the community: All that's needed for an
active mapper to join is entering their OSM user name in the application
form, which we already ask for. People with non-quantifiable
contributions might need to write a paragraph about it, but as you know
we would like to extend automatic validation to other kinds of
contributions.

So here we have a measure that isn't much of a barrier for the people we
want to join the foundation, but makes things noticeably trickier for
malicious actors. Sounds like a win to me.

It's not unassailable, nor does it claim to be. There is no single
measure that can prevent all takeover threats. Instead, the measures we
have already installed, and the ones we still intend to install, need
to work together to offer a good level of protection in aggregate.

> If the
> point is takeover protection, this is a suggestion that might feel
> satisfying on some level, but that lacks strategy and effectiveness.

I've talked about takeover protection above, but going beyond that
concern, the proposal embodies a rather fundamental principle: People
who contribute to OSM (in one of the many forms this can take) are the
ones who should have a say in how OSM is run.

Seeing how this has quite some impact on our identity as an
organization, it seems worth putting it in writing.