[tor-talk] torproject forum hosted by 3rd party?

gus gus at torproject.org
Fri Oct 29 14:41:08 UTC 2021


Hi Nusenu,

Thanks for your concern about the Tor Forum.

As I said on my previous emails[1], we've decided to go with their free
hosting plan for open source projects. Qubes community also followed
that path: started with their free hosting plan and moved to a
self-hosted instance.

I also pointed that 'information collected' is mitigated using Tor
Browser and/or 'mailing list' mode, where you don't need to use the web
interface.

Gus

[1]
https://lists.torproject.org/pipermail/tor-relays/2021-October/019940.html
[2] 
https://lists.torproject.org/pipermail/tor-relays/2021-October/019941.html

On Fri, Oct 29, 2021 at 04:00:50PM +0200, nusenu wrote:
> Hi,
> 
> the Torproject is about to launch the new Discourse based forum next week [1]
> https://forum.torproject.net
> 
> With this email I'd like to initiate a discussion on whether it is a good idea to externalize
> hosting of what might become a important platform for the tor community.
> 
> I believe discourse is a great platform, but
> I was surprised to learn that the forum is _not_ self-hosted on torproject infrastructure.
> It is hosted by "Civilized Discourse Construction Kit, Inc." the company behind discourse.org.
> That means the torproject does not have full control over the infrastructure and its security and logging practices.
> Discourse's third party hosting also does not support onion services [2].
> 
> The forum privacy policy mentions that IPs get logged and stored over an extensive amount of time
> https://forum.torproject.net/privacy
> As Jérôme pointed out [5] the forum is also subject to discourse's privacy policy, so maybe it would be good to include a link
> to https://www.discourse.org/privacy on https://forum.torproject.net/privacy.
> 
> 
> Especially since this forum will be used for tor browser support it will also include people's IP addresses
> when they are unable to use tor browser to protect themselves.
> 
> 
> When you open https://forum.torproject.net in a browser it will fetch resources from multiple places:
> 
> fonts.googleapis.com (Google)
> fonts.gstatic.com (Google)
> aws1.discourse-cdn.com
> avatars.discourse-cdn.com (proinity LLC, AS44239)
> forum.torprojec.net/torproject1.hosted-by-discourse.com (CNAME)  Hurricane Electric LLC
> 
> 
> To quote Gaba from the gitlab ticket [3]:
> > If there is a risk on running this forum outside TPA infrastructure then we need to change this and host Discourse in TPA.
> 
> (TPA is the torproject admin team https://gitlab.torproject.org/tpo/tpa/team)
> 
> I agree with Gaba and I'm glad anarcat (torproject admin team) is not totally against self-hosting [4] even though
> discourse is docker based.
> 
> 
> Self-hosting would also allow for:
> 
> - better domain: forum.torproject.org (the torproject.net domain is basically unknown and I guess many people
> will be confused. I agree with anarcat to use the .net domain when it is not run on TPA infrastructure)
> - no IP logging
> - no external resources
> - no troubles for tor browser users should discourse decide to enable CAPTCHA or use a CDN that enforces CAPTCHAs in the future
> 
> 
> What is the main reasoning for using a 3rd party hosted Discourse instance instead of a self-hosted instance?
> (besides the obvious 'so we don't have to patch and maintain it ourselves')
> 
> 
> related gitlab ticket:
> https://gitlab.torproject.org/tpo/tpa/team/-/issues/40183
> https://gitlab.torproject.org/tpo/web/team/-/wikis/Plan-To-Launch-Tor's-Forum
> 
> 
> 
> kind regards,
> nusenu
> 
> 
> 
> [1] https://lists.torproject.org/pipermail/tor-community-team/2021-October/000423.html
> [2] https://gitlab.torproject.org/tpo/tpa/team/-/issues/40183#note_2740700
> [3] https://gitlab.torproject.org/tpo/tpa/team/-/issues/40183#note_2749919
> [4] https://gitlab.torproject.org/tpo/tpa/team/-/issues/40183#note_2750060
> [5] https://gitlab.torproject.org/tpo/tpa/team/-/issues/40183#note_2751283
> 
> -- 
> https://nusenu.github.io
> -- 
> tor-talk mailing list - tor-talk at lists.torproject.org
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

-- 
The Tor Project
Community Team Lead
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20211029/e9348d8b/attachment.sig>


More information about the tor-talk mailing list