There are quite a lot of opportunities to explore, I’d say.
What this situation has shown is that there are various parts of OSM that are fragile and in need of attention. This is what the board can, and probably should, give strong guidance towards.
We learned that account-signup is handled by the same codebase that powers the rest of the osm website. Which is done in a language only small number of people know and is getting less. (Ruby: 6.7% in 2021, 6.2% in 2023). And the main dev there made himself the bottle-neck as he so nicely explains on github.
That problem will not get better over time. So, for the board, the first and most important part is to separate the account-creation from the rest of that system and actually be able to innovate with more developers and less friction. Decide on a tech (Java for instance), hire a dev for just this job and make the account-creation component live. I doubt it needs to be open source.
It bears repeating what we are currently seeing here. This attack is likely the cause of a very small number of actors, may simply be one that is a decent programmer. The result is that the OSM community has been mobilized more and more. it has been affecting a very large section of our users and mappers. After the first wave we have seen a lot of people stepping up and helping the DWG doing things like reverts, which is great! But this is now the new norm. The DWG would likely not be able to fight this off alone. This means that this attack is now burning through good-will of a very large section of the OSM community. This has to stop. The community resources are too precious!
It is not just the DWG, it is community leaders, it is people that do reverts and it is a lot of mappers in those areas that are in need of reverts as they can’t map lest their work gets reverted too. And naturally downstream.
Because of that, more dramatic but temporary solutions should be considered until the real problem is solved. Where the real problem is the one I described above.
So, immediately start blocking account creation (probably fastest to do at the firewall level) all IPs that were used to create the accounts that are getting banned. Yes, this will block a lot of VPNs, probably tor exit nodes too.
But are we ready to tell a much larger group of mappers/users that the organization can’t fight one person with a bot and a willingness to do damage?
I have to say that I agree with the premise of this topic. This is something I am not afraid to blame the foundation and the board about too, this is not a fresh young project and giving random people on the Internet full, unlimited write access to everyone and all data is just plain stupid. There are thousands of projects out there that have all come up with some way to do some limiting of accounts until they gather karma.
It is quite irrelevant to blame this on volunteer developers not having time to do it, this should have been made a priority years ago. Back then it would have been able to do it without haste and without burning through funding. Now you lost that option and burning through funding is by far the best choice you have to keep the project safe. That’s the foundation’s job, isn’t it?