[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] torproject forum hosted by 3rd party?

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] torproject forum hosted by 3rd party?
From: gus <gus@xxxxxxxxxxxxxx>
Date: Fri, 29 Oct 2021 11:41:08 -0300
Delivered-to: archiver@xxxxxxxx
Delivery-date: Fri, 29 Oct 2021 11:51:47 -0400
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>

Hi Nusenu,

Thanks for your concern about the Tor Forum.

As I said on my previous emails[1], we've decided to go with their free
hosting plan for open source projects. Qubes community also followed
that path: started with their free hosting plan and moved to a
self-hosted instance.

I also pointed that 'information collected' is mitigated using Tor
Browser and/or 'mailing list' mode, where you don't need to use the web
interface.

Gus

[1]
https://lists.torproject.org/pipermail/tor-relays/2021-October/019940.html
[2] 
https://lists.torproject.org/pipermail/tor-relays/2021-October/019941.html

On Fri, Oct 29, 2021 at 04:00:50PM +0200, nusenu wrote:
> Hi,
> 
> the Torproject is about to launch the new Discourse based forum next week [1]
> https://forum.torproject.net
> 
> With this email I'd like to initiate a discussion on whether it is a good idea to externalize
> hosting of what might become a important platform for the tor community.
> 
> I believe discourse is a great platform, but
> I was surprised to learn that the forum is _not_ self-hosted on torproject infrastructure.
> It is hosted by "Civilized Discourse Construction Kit, Inc." the company behind discourse.org.
> That means the torproject does not have full control over the infrastructure and its security and logging practices.
> Discourse's third party hosting also does not support onion services [2].
> 
> The forum privacy policy mentions that IPs get logged and stored over an extensive amount of time
> https://forum.torproject.net/privacy
> As Jérôme pointed out [5] the forum is also subject to discourse's privacy policy, so maybe it would be good to include a link
> to https://www.discourse.org/privacy on https://forum.torproject.net/privacy.
> 
> 
> Especially since this forum will be used for tor browser support it will also include people's IP addresses
> when they are unable to use tor browser to protect themselves.
> 
> 
> When you open https://forum.torproject.net in a browser it will fetch resources from multiple places:
> 
> fonts.googleapis.com (Google)
> fonts.gstatic.com (Google)
> aws1.discourse-cdn.com
> avatars.discourse-cdn.com (proinity LLC, AS44239)
> forum.torprojec.net/torproject1.hosted-by-discourse.com (CNAME)  Hurricane Electric LLC
> 
> 
> To quote Gaba from the gitlab ticket [3]:
> > If there is a risk on running this forum outside TPA infrastructure then we need to change this and host Discourse in TPA.
> 
> (TPA is the torproject admin team https://gitlab.torproject.org/tpo/tpa/team)
> 
> I agree with Gaba and I'm glad anarcat (torproject admin team) is not totally against self-hosting [4] even though
> discourse is docker based.
> 
> 
> Self-hosting would also allow for:
> 
> - better domain: forum.torproject.org (the torproject.net domain is basically unknown and I guess many people
> will be confused. I agree with anarcat to use the .net domain when it is not run on TPA infrastructure)
> - no IP logging
> - no external resources
> - no troubles for tor browser users should discourse decide to enable CAPTCHA or use a CDN that enforces CAPTCHAs in the future
> 
> 
> What is the main reasoning for using a 3rd party hosted Discourse instance instead of a self-hosted instance?
> (besides the obvious 'so we don't have to patch and maintain it ourselves')
> 
> 
> related gitlab ticket:
> https://gitlab.torproject.org/tpo/tpa/team/-/issues/40183
> https://gitlab.torproject.org/tpo/web/team/-/wikis/Plan-To-Launch-Tor's-Forum
> 
> 
> 
> kind regards,
> nusenu
> 
> 
> 
> [1] https://lists.torproject.org/pipermail/tor-community-team/2021-October/000423.html
> [2] https://gitlab.torproject.org/tpo/tpa/team/-/issues/40183#note_2740700
> [3] https://gitlab.torproject.org/tpo/tpa/team/-/issues/40183#note_2749919
> [4] https://gitlab.torproject.org/tpo/tpa/team/-/issues/40183#note_2750060
> [5] https://gitlab.torproject.org/tpo/tpa/team/-/issues/40183#note_2751283
> 
> -- 
> https://nusenu.github.io
> -- 
> tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

-- 
The Tor Project
Community Team Lead

Attachment: signature.asc
Description: PGP signature

-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Prev by Author: Re: [tor-talk] Tor Browser + ALSA
Next by Author: Re: [tor-talk] [tor-announce] [RELEASE] 0.3.5.17, 0.4.5.11, 0.4.6.8 and 0.4.7.2-alpha
Previous by thread: Re: [tor-talk] torproject forum hosted by 3rd party?
Next by thread: Re: [tor-talk] Tor Browser + ALSA
Index(es):
- Author
- Thread