Hi Nusenu,

Thanks for your concern about the Tor Forum.

As I said on my previous emails[1], we've decided to go with their free
hosting plan for open source projects. Qubes community also followed
that path: started with their free hosting plan and moved to a
self-hosted instance.

I also pointed that 'information collected' is mitigated using Tor
Browser and/or 'mailing list' mode, where you don't need to use the web



On Fri, Oct 29, 2021 at 04:00:50PM +0200, nusenu wrote:
> Hi,
> the Torproject is about to launch the new Discourse based forum next week [1]
> https://forum.torproject.net
> With this email I'd like to initiate a discussion on whether it is a good 
> idea to externalize
> hosting of what might become a important platform for the tor community.
> I believe discourse is a great platform, but
> I was surprised to learn that the forum is _not_ self-hosted on torproject 
> infrastructure.
> It is hosted by "Civilized Discourse Construction Kit, Inc." the company 
> behind discourse.org.
> That means the torproject does not have full control over the infrastructure 
> and its security and logging practices.
> Discourse's third party hosting also does not support onion services [2].
> The forum privacy policy mentions that IPs get logged and stored over an 
> extensive amount of time
> https://forum.torproject.net/privacy
> As Jérôme pointed out [5] the forum is also subject to discourse's privacy 
> policy, so maybe it would be good to include a link
> to https://www.discourse.org/privacy on https://forum.torproject.net/privacy.
> Especially since this forum will be used for tor browser support it will also 
> include people's IP addresses
> when they are unable to use tor browser to protect themselves.
> When you open https://forum.torproject.net in a browser it will fetch 
> resources from multiple places:
> fonts.googleapis.com (Google)
> fonts.gstatic.com (Google)
> aws1.discourse-cdn.com
> avatars.discourse-cdn.com (proinity LLC, AS44239)
> forum.torprojec.net/torproject1.hosted-by-discourse.com (CNAME)  Hurricane 
> Electric LLC
> To quote Gaba from the gitlab ticket [3]:
> > If there is a risk on running this forum outside TPA infrastructure then we 
> > need to change this and host Discourse in TPA.
> (TPA is the torproject admin team https://gitlab.torproject.org/tpo/tpa/team)
> I agree with Gaba and I'm glad anarcat (torproject admin team) is not totally 
> against self-hosting [4] even though
> discourse is docker based.
> Self-hosting would also allow for:
> - better domain: forum.torproject.org (the torproject.net domain is basically 
> unknown and I guess many people
> will be confused. I agree with anarcat to use the .net domain when it is not 
> run on TPA infrastructure)
> - no IP logging
> - no external resources
> - no troubles for tor browser users should discourse decide to enable CAPTCHA 
> or use a CDN that enforces CAPTCHAs in the future
> What is the main reasoning for using a 3rd party hosted Discourse instance 
> instead of a self-hosted instance?
> (besides the obvious 'so we don't have to patch and maintain it ourselves')
> related gitlab ticket:
> https://gitlab.torproject.org/tpo/tpa/team/-/issues/40183
> https://gitlab.torproject.org/tpo/web/team/-/wikis/Plan-To-Launch-Tor's-Forum
> kind regards,
> nusenu
> [1] 
> https://lists.torproject.org/pipermail/tor-community-team/2021-October/000423.html
> [2] https://gitlab.torproject.org/tpo/tpa/team/-/issues/40183#note_2740700
> [3] https://gitlab.torproject.org/tpo/tpa/team/-/issues/40183#note_2749919
> [4] https://gitlab.torproject.org/tpo/tpa/team/-/issues/40183#note_2750060
> [5] https://gitlab.torproject.org/tpo/tpa/team/-/issues/40183#note_2751283
> -- 
> https://nusenu.github.io
> -- 
> tor-talk mailing list - tor-talk@lists.torproject.org
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

The Tor Project
Community Team Lead

Attachment: signature.asc
Description: PGP signature

tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to

Reply via email to