(moved datafusion dev list to bcc) > Can the Javascript be hosted locally? No, I don't think so. We have to use `https://giscus.app/client.js`. Is this a blocker?
> If so, does the user have to do anything to start using the app, or does the JS generate requests in the background without any interaction from the user? The user must authenticate with Github to interact with the app. The user then needs to authorize the giscus app to post on their behalf using the GitHub OAuth flow. Once complete, comments and reactions will be modifying a github discussion post directly. See https://github.com/giscus/giscus?tab=readme-ov-file#how-it-works for more details. This is what the user sees before any auth: [image: Screenshot 2025-07-26 at 8.37.48 AM.png] > If Giscus requires positive action from the user before any data is exchanged, then it may not be necessary to get a DPA. The user must explicitly authenticate with Github and authorize the giscus app. So I believe the DPA is not necessary. Thank you for the help. Please let me know if you have any other questions. Best, Kevin Liu On Sat, Jul 26, 2025 at 12:53 AM sebb <seb...@gmail.com> wrote: > On Fri, 25 Jul 2025 at 19:09, Kevin Liu <kevinjq...@apache.org> wrote: > > > > Dear Privacy Team, > > > > (+ cc datafusion dev list) > > Note mixed public and private email lists. > > > I'm writing on behalf of the Apache DataFusion project to request your > > approval to use Giscus <https://giscus.app>, a GitHub-powered open > source > > comment widget, on our project website: https://datafusion.apache.org. > > > > We plan to embed Giscus to enable blog post discussions via GitHub > > Discussions (For more context, see > > https://github.com/apache/datafusion-site/issues/80). It is a > lightweight, > > open-source tool that integrates directly with GitHub APIs and does not > use > > tracking cookies or third-party analytics. > > > > To enable this, we would need to add `https://giscus.app` to the site's > > `Content-Security-Policy` under `script-src`. ASF Infra has advised > > <https://issues.apache.org/jira/browse/INFRA-27070> that we must first > > receive your sign-off before proceeding with this change. > > Can the Javascript be hosted locally? > If so, does the user have to do anything to start using the app, or > does the JS generate requests in the background without any > interaction from the user? > If Giscus requires positive action from the user before any data is > exchanged, then it may not be necessary to get a DPA. > > > Relevant details: > > - Giscus website: https://giscus.app > > - Source code: https://github.com/giscus/giscus > > - Data is stored on the Datafusion GitHub repo (via Github's Discussions > > API); Giscus is a frontend wrapper > > - We do not collect or store any user data ourselves > > > > Please let us know if we can proceed or if you need more information. > > > > Best regards, > > Kevin Liu > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@datafusion.apache.org > For additional commands, e-mail: dev-h...@datafusion.apache.org > >
