Last week I wrote about certain issues with the authorization scheme we currently use for Mozillians.org. I described a specific problem that I personally want to solve. In the ensuing conversations online and elsewhere, several Mozillians pointed out that I offered no solution. Quite right.
In this post, I’ll propose a way to solve Mozillians.org’s authorization issues, particularly the concern I have about using the word “vouched” to describe Mozillians.org’s members. But to get there, we’ll have to tackle a much larger philosophical question: What does it mean to be a Mozillian? I will offer my answer to that question below, but the question belongs to the community. Its answer requires a chorus of voices. I look forward to hearing from the numerous others working on this question; until then, I offer the below.
To be a Mozillian, a person needn’t have an account in Mozillians.org. And not all accounts in Mozillians.org belong to Mozillians. Nevertheless, for the remainder of this post, I intend to treat the user population of Mozillians.org as synonymous with the group of people we call, “Mozillians.” Here’s why:
- If you have an account on Mozillians.org, other people (including Mozillians) are apt assume you are a Mozillian in word and deed.
- If other people would identify you as a Mozillian based on your actions or principles, then you can get an account on Mozillians.org.
Ergo, being a Mozillian and having an account on Mozillians.org are interchangeable, at least in some contexts.
And in that case, we should be very careful when we tinker with the Mozillians.org signup process. A person who does not share the principles of a Mozillian, or who has not taken the actions expected of a Mozillian, should not be able to join Mozillians.org. A person who shares those principles and has taken those actions should get an account easily. So signing up for Mozillians.org should require some verification of principles and action.
That’s the spirit behind the current signup process. Right now, in order to join Mozillians.org, a prospective Mozillian must “get vouched”. Getting vouched means finding an existing Mozillian — ostensibly, to prove yourself to them — and asking them to make you a full member of Mozillians.org by vouching you.
But as I discussed at length in my earlier post, the vouching system has some important flaws. One of them is that it’s not true to life. People don’t become Mozillians by finding some other Mozillian and asking if they can be a Mozillian too. People become Mozillians through action and principle.
So, when designing the Mozillians signup process, we need to identify the actions and principles that clearly make someone a Mozillian, then build them in code. Our signup process will explain what it means to be a Mozillian and it will verify that people joining Mozillians.org are, indeed, Mozillians.
Which means that, in order to fix the Mozillians.org’s authorization issues, we have to answer a fundamental question: What does it mean to be a Mozillian? What are the principles and actions that distinguish a Mozillian from a run-of-the-mill netizen?
What are the principles and actions that distinguish a Mozillian?
I think the answer is simple: Being a Mozillian means you actively and intentionally advance the principles in Mozilla’s Manifesto.
Of course that simple answer masks significant complexity. It’s difficult to even talk about what being a Mozillian means because we have overloaded the term “Mozillian.” We use it to identify members of a movement and we also use it to describe an authorization flag. We’ll never come to any consensus about a word that we use differently in different contexts. So let’s disambiguate.
1. We use “Mozillian” to describe a group of people who relate to Mozilla’s brand, products and principles.
When Mozillians.org was built, its intended audience was the so-called “core contributors“: people who have leadership positions within one of Mozilla’s projects. This group comprises a few hundred individuals. Not all of them have accounts on Mozillians.org.
Nowadays, Mozillians.org accounts include nearly 1,800 belonging to people who participated in Mozilla’s 2013 Summit event, which was billed as a global gathering of Mozillians. The majority of Summit attendees are “active contributors“: people who have volunteered substantial time and interacted with other Mozillians in the past 12 months. Some of them are core contributors, some are not. All of them are quite committed to actively working on Mozilla’s behalf.
Mozillians.org’s 4,000 users also include at least a few “casual contributors“: people who have contributed to Mozilla’s work in some way – say, by submitting a crash report or filing a bug – but don’t put in time for Mozilla every week. Some would say casual contributors aren’t Mozillians, which makes their accounts in Mozillians.org a data quality issue.
In each of the above cases, we use “Mozillians” to describe a group of people who relate to Mozilla. They specifically relate to Mozilla through action. But action alone isn’t enough to identify a Mozillian. Mozillians are Mozillians only if they self-identify as such. “Mozillian” is an identity someone assumes because they are aware of the principles in the Mozilla Manifesto and intend to advance them.
2) We use “Mozillian” to describe a group of people who can be trusted with sensitive data and access.
When “Mozillian” described a few hundred people, most of them daily contributors, it made sense to treat membership in the group as a signal of trust. If you were a Mozillian, you may have received press releases pre-embargo, seen web sites before launch, heard product announcements early, or received some other access or account. All of this was granted simply because you were a Mozillian.
Now, with more than 4,000 accounts on Mozillians.org, that single authorization flag is insufficient. While some groups share things with all Mozillians, not all groups do. IT teams don’t grant someone commit access to a repository simply because they’re a Mozillian; they grant commit access to people who have passed through a specific process unrelated to being a Mozillian. Public relations and press liasons don’t always share pre-embargo press with all Mozillians; folks working on security issues don’t always share vulnerability information with all Mozillians; product teams don’t always share pre-release product announcements with all Mozillians. Each group shares information with a subset of Mozillians who’ve joined a smaller trust network through some mechanism independent of the mechanism that makes someone a Mozillian.
In the future, the Mozillians network will be even less suitable for granting access. Mozilla is a giant world-wide movement aspiring to grow. We hope to have a million Mozillians one day. That’s not a trust network. Membership in the movement implies shared principles, but doesn’t guarantee complete alignment or trust. If we wish to grow the network, we must acknowledge this.
This evolution doesn’t restrict our ability to use trusted groups to share things with Mozillians. Instead, by relieving the overall network of an unrealistic expectation that it should always be trusted, we create the possibility of ever richer, more specific communities of trust. Whenever trust is required for some activity, an authorization group will emerge. The group’s curators will determine what process distinguishes its members. With a few small tweaks, Mozillians.org can be a repository of such groups.
The authorization connotations of “Mozillian” are falling away even now. “Mozillian” no longer means, “people we automatically share sensitive things with.”
Both of the above cases describe an evolution: of the concept “Mozillian,” of the group collectively called “Mozillians,” and of the membership of Mozillians.org. In the past the community was small and trusted. Now it is not-so-small and not-so-trusted. And in the future it may have many, many more members.
But the community’s current definition doesn’t scale; instead, it impedes evolution. Vouching isn’t how we become Mozillians; restricting our membership to daily contributors isn’t how we grow to have a million Mozillians. We need to encourage casual contributors to become Mozillians. We need an inclusive definition of “Mozillian,” one that admits people who have varying levels of commitment and time. These Mozillians will value Mozilla’s Manifesto just as much as Mozilla’s core contributors do – they’ll just have less time to spend volunteering.
We need an inclusive definition of “Mozillian”
In the future, when we have 1 million Mozillians, “Mozillian” will be a term we use to describe people who…
- Self-identify as being a Mozillian
- Take some individual or collective action to advance the principles in the Manifesto
We can’t wait for the first million to join us before we start thinking of ourselves this way. We have to create an inclusive network now that invites the exponential growth we aspire to. To get there, we should agree: Mozillians are people who actively and intentionally advance the principles in Mozilla’s Manifesto. People who actively and intentionally advance the principles in Mozilla’s Manifesto are Mozillians.
Now, having grappled with philosophy far exceeding my capabilities, I return to more familiar territory. Whew!
Once we’ve explained in simple terms what it means to be a Mozillian, we simply have to devise a Mozillians.org signup process that encodes it. If we were to do so with the definition I offer above, then we would ask people signing up for Mozillians.org to read the Manifesto and input a URL (to a pull request submitted, a bug closed, an addon distributed, a Manifesto principle tweeted, a t-shirt bought, et cetera). We’d take their signup as proof of self-identification and we’d use the URL to verify action taken.
That’s how I’d solve the Mozillians.org authorization issue. I’m sure others have great ideas too! Here’s what I think those ideas should do:
- Define in simple terms what it means to be a Mozillian. Bonus points if the definition scales!
- Explain how to encode it in a web application signup process.
Please do comment, share, critique, and improve upon this post.