[tor-talk] torproject forum hosted by 3rd party?
gus at torproject.org
Fri Oct 29 14:41:08 UTC 2021
Thanks for your concern about the Tor Forum.
As I said on my previous emails, we've decided to go with their free
hosting plan for open source projects. Qubes community also followed
that path: started with their free hosting plan and moved to a
I also pointed that 'information collected' is mitigated using Tor
Browser and/or 'mailing list' mode, where you don't need to use the web
On Fri, Oct 29, 2021 at 04:00:50PM +0200, nusenu wrote:
> the Torproject is about to launch the new Discourse based forum next week 
> With this email I'd like to initiate a discussion on whether it is a good idea to externalize
> hosting of what might become a important platform for the tor community.
> I believe discourse is a great platform, but
> I was surprised to learn that the forum is _not_ self-hosted on torproject infrastructure.
> It is hosted by "Civilized Discourse Construction Kit, Inc." the company behind discourse.org.
> That means the torproject does not have full control over the infrastructure and its security and logging practices.
> Discourse's third party hosting also does not support onion services .
> to https://www.discourse.org/privacy on https://forum.torproject.net/privacy.
> Especially since this forum will be used for tor browser support it will also include people's IP addresses
> when they are unable to use tor browser to protect themselves.
> When you open https://forum.torproject.net in a browser it will fetch resources from multiple places:
> fonts.googleapis.com (Google)
> fonts.gstatic.com (Google)
> avatars.discourse-cdn.com (proinity LLC, AS44239)
> forum.torprojec.net/torproject1.hosted-by-discourse.com (CNAME) Hurricane Electric LLC
> To quote Gaba from the gitlab ticket :
> > If there is a risk on running this forum outside TPA infrastructure then we need to change this and host Discourse in TPA.
> (TPA is the torproject admin team https://gitlab.torproject.org/tpo/tpa/team)
> I agree with Gaba and I'm glad anarcat (torproject admin team) is not totally against self-hosting  even though
> discourse is docker based.
> Self-hosting would also allow for:
> - better domain: forum.torproject.org (the torproject.net domain is basically unknown and I guess many people
> will be confused. I agree with anarcat to use the .net domain when it is not run on TPA infrastructure)
> - no IP logging
> - no external resources
> - no troubles for tor browser users should discourse decide to enable CAPTCHA or use a CDN that enforces CAPTCHAs in the future
> What is the main reasoning for using a 3rd party hosted Discourse instance instead of a self-hosted instance?
> (besides the obvious 'so we don't have to patch and maintain it ourselves')
> related gitlab ticket:
> kind regards,
>  https://lists.torproject.org/pipermail/tor-community-team/2021-October/000423.html
>  https://gitlab.torproject.org/tpo/tpa/team/-/issues/40183#note_2740700
>  https://gitlab.torproject.org/tpo/tpa/team/-/issues/40183#note_2749919
>  https://gitlab.torproject.org/tpo/tpa/team/-/issues/40183#note_2750060
>  https://gitlab.torproject.org/tpo/tpa/team/-/issues/40183#note_2751283
> tor-talk mailing list - tor-talk at lists.torproject.org
> To unsubscribe or change other settings go to
The Tor Project
Community Team Lead
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: not available
More information about the tor-talk