I think it would be a good idea if the GNU infrastructure was modified to also be an OATH2.0/openID provider. These are open standards and there are a number of open source implementations (for example https://github.com/ory/hydra which is Apache 2.0). It would likely improve the reliability and security of FSF/GNU IAM infrastructure[*} and enable users with FSF/GNU identities to use them with approved/authorised identity consumers. However, there would likely be some significant architecture changes required, though this could be done in stages. The side benefit would be an ethical identity provider that could be used by those who have a FSF/GNU login.

With regards to the specific question as to whether some form of 'generic' identity could be used to allow bug reports to be lodged without the need for the user to have an oauth identity, the answer is yes, this cold be done. Whether this is a good idea is another question. In general, 'generic' identities are a bad thing and should be avoided (for example, what would you do if someone were to abuse this identity and script the logging of large numbers of bogus bug reports? You don't want to disable the identity as it would adversely impact legitimate use. This does not mean it cannot be done, only that it would require careful consideration of such risks.

Personally, I'm not sure why we seem to keep considering this as a 'all or nothing' solution. Why can we not have the best of both. Have an email gateway to submit bugs in a similar manner to how it is done now AND a web interface to log, browse, update issues for those with an oauth2.0 compliant login and who want that level of access? You could even setup the report bug functionality to use an oauth based form submission if the user has setup an oauth2 id and fall back to email if they don't.

[*} I don't know anything about FSF/GNU infrastructure or the underlying architecture. However, I have been involved in a number of IAM projects in both medium and large organisations and have seen the maintenance and support benefits of a solid identity provider used by all the applications in an organisation. I have also seen the challenges, maintenance and security issues associated with IAM solutions which have developed 'organically' as an organisation has grown.

On Mon, 30 Dec 2019 at 11:17, Richard Stallman <rms@gnu.org> wrote:

[[[ To any NSA and FBI agents reading my email: please consider ]]]
[[[ whether defending the US Constitution against all enemies, ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

> > You need an account if you want to write a new bug report ("issue") in
> > Gitlab, even for public projects. No problem for Emacs developers, they
> > will have an account on Emacs' Gitlab stanza. But we will miss bug
> > reports from Emacs users, which usually have no account there.

> It has OAuth support, users could log in using an account from a number
> of popular services. So that should be a non-issue.

I don't think we can assume that everyone who uses Emacs and might report
a bug has an OAuth account, or would go ahead and make one for this.
I don't have one. No GNU activity requires one.

Is it possible to have something run on a GNU server and use one
specific OAuth account to submit various people's Emacs bug reports,
all using a single shared OAuth account?

--
Dr Richard Stallman
Chief GNUisance of the GNU Project (https://gnu.org)
Founder, Free Software Foundation (https://fsf.org)
Internet Hall-of-Famer (https://internethalloffame.org)