Re: [tor-talk] torproject forum hosted by 3rd party?
Gaba pointed out on mastodon: We have plans on moving it to our own infrastructure but it will take a little more time. ok, great to hear that. So lets wait for it. Does that also mean that the forum will then be located at forum.torproject.org after the planed migration to torproject infrastructure? -- https://nusenu.github.io -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] torproject forum hosted by 3rd party?
bo0od: - no IP logging - no external resources You shouldnt trust TPO on not doing that either (not because they do that but because there is no control on that from user side so you should assume the worst when it comes to security/privacy/anonymity). I see your point as an end user here, but from the torproject's point of view it would expect a more cautious approach with tor user information and practice harm reduction strategies instead of saying 'Oh, you didn't use tor browser to protect yourself when you accessed our support forum? It's your fault' to avoid a future where discourse gets compromised and someone publishes/leaks all forum logs. If you don't log it in the first place, there is less data that can harm you afterwards. Expecting users to never open an url in the "wrong" browser window is a bit unrealistic. It is also a matter of leading by example - especially for a privacy focused project. At the end user need to trust an entity to make discourse functional, TPO or not doesnt matter. I believe it does make a difference where you host something that requires some level of trust especially when it is visible in the url bar, because users trust some entities (or domains) more then others. kind regards, nusenu -- https://nusenu.github.io -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] [tor-announce] [RELEASE] 0.3.5.17, 0.4.5.11, 0.4.6.8 and 0.4.7.2-alpha
On Tue, 26 Oct 2021 14:23:19 -0400 David Goulet allegedly wrote: > > David > > > > I do hope that this new forum is a supplement to, and not a > > substitution for, the current email based Tor lists. > > It will supplement. We are working on setting up a way for the forum > announcement to be replicated onto mailing lists. > > David > David Excellent. Thanks. Mick - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 https://baldric.net/about-trivia - -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] [tor-announce] [RELEASE] 0.3.5.17, 0.4.5.11, 0.4.6.8 and 0.4.7.2-alpha
On Tue, 26 Oct 2021 11:48:54 -0400 David Goulet allegedly wrote: > The Tor Network Team will from now on do its release announcement > through our new fancy shiny Discourse forum: > https://forum.torproject.net > > If you are interested in getting notified for each release > announcement, you should follow this category (once you get an > account): > > https://forum.torproject.net/c/news/tor-release-announcement/28 > > And for todays' announcement: > > https://forum.torproject.net/t/release-0-3-5-17-0-4-5-11-0-4-6-8-and-0-4-7-2-alpha/148 > David I do hope that this new forum is a supplement to, and not a substitution for, the current email based Tor lists. Whilst a web based forum may indeed be "new, fancy and shiny" it has distinct drawbacks, not least the need for an account, but also its use of cookies. I suspect that many Tor users or relay admins will find that a retrograde step, if not a distinct turn off. Mick - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 https://baldric.net/about-trivia - -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor Browser + ALSA
mpan tor-1qnuaylp at mpan.pl Tue Sep 14 13:43:23 UTC 2021 there is also a solution many people used in the interim period between Mozilla decided to nuke ALSA and introducing it again: apulse.⁽²⁾ ⁽¹⁾ https://github.com/archlinux/svntogit-packages/blob/6f80cdd3145436c9d1690c353f5490ad7f0098cf/trunk/PKGBUILD ⁽²⁾ https://github.com/i-rinat/apulse Nicolas Vigier boklm at mars-attacks.org Thu Sep 9 07:18:43 UTC 2021 And if you want to build Tor Browser, you can see this page: https://gitlab.torproject.org/tpo/applications/tor-browser/-/wikis/Hacking/Hacking Thank you very much to the both of you. Does this mean that there is hope that the decision to remove ALSA (and not PulseAudio) in TorBrowser is reversed? is adding `ac_add_options --enable-alsa' in `mozconfig-*' what I would need to build TorBrowser with ALSA enabled? The rationale of lower maintenance from Mozilla seems to have veered in a strange direction: remove ALSA and keep PulseAudio ("Make Pulse Audio a hard dependency on Linux so that we reduce the problems and maintenance associated with maintaining multiple audio backends"). Just to share (no complaint): The alternative to run `apulse' did not work for me. I tried to play a local mp3 file (Ritchie Valens' La Bamba), and it works for other browsers, but not with TorBrowser. This is possibly unrelated to `apulse', because the other browsers play sound regardless. The last commit to `apulse' was on Tue Jun 30 13:46:54 2020 +0200, and I doubt that "maintenance" is the key word to keep using it as a work-around. I really appreciate your advice. I post these for completeness regarding links. https://www.linuxquestions.org/questions/linux-software-2/no-sound-in-tor-browser-on-debian-10-with-alsa-4175670325/ https://www.linuxquestions.org/questions/linux-software-2/no-sound-in-tor-browser-only-4175663745/ - This free account was provided by VFEmail.net - report spam to ab...@vfemail.net ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's hands! $24.95 ONETIME Lifetime accounts with Privacy Features! 15GB disk! No bandwidth quotas! Commercial and Bulk Mail Options! -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] torproject forum hosted by 3rd party?
> - no IP logging > - no external resources You shouldnt trust TPO on not doing that either (not because they do that but because there is no control on that from user side so you should assume the worst when it comes to security/privacy/anonymity). And allowing JS in order to participate in the forum thats also an issue. (Good thing you can read the forum topics while JS disabled, But you cant login,type..etc) At the end user need to trust an entity to make discourse functional, TPO or not doesnt matter. (I agree on seeing google or amazon or ..etc from shitty corporations thats the worst thing user want to see when using Tor or any other anonymity tools and should be prohibited) nusenu: Hi, the Torproject is about to launch the new Discourse based forum next week [1] https://forum.torproject.net With this email I'd like to initiate a discussion on whether it is a good idea to externalize hosting of what might become a important platform for the tor community. I believe discourse is a great platform, but I was surprised to learn that the forum is _not_ self-hosted on torproject infrastructure. It is hosted by "Civilized Discourse Construction Kit, Inc." the company behind discourse.org. That means the torproject does not have full control over the infrastructure and its security and logging practices. Discourse's third party hosting also does not support onion services [2]. The forum privacy policy mentions that IPs get logged and stored over an extensive amount of time https://forum.torproject.net/privacy As Jérôme pointed out [5] the forum is also subject to discourse's privacy policy, so maybe it would be good to include a link to https://www.discourse.org/privacy on https://forum.torproject.net/privacy. Especially since this forum will be used for tor browser support it will also include people's IP addresses when they are unable to use tor browser to protect themselves. When you open https://forum.torproject.net in a browser it will fetch resources from multiple places: fonts.googleapis.com (Google) fonts.gstatic.com (Google) aws1.discourse-cdn.com avatars.discourse-cdn.com (proinity LLC, AS44239) forum.torprojec.net/torproject1.hosted-by-discourse.com (CNAME) Hurricane Electric LLC To quote Gaba from the gitlab ticket [3]: If there is a risk on running this forum outside TPA infrastructure then we need to change this and host Discourse in TPA. (TPA is the torproject admin team https://gitlab.torproject.org/tpo/tpa/team) I agree with Gaba and I'm glad anarcat (torproject admin team) is not totally against self-hosting [4] even though discourse is docker based. Self-hosting would also allow for: - better domain: forum.torproject.org (the torproject.net domain is basically unknown and I guess many people will be confused. I agree with anarcat to use the .net domain when it is not run on TPA infrastructure) - no IP logging - no external resources - no troubles for tor browser users should discourse decide to enable CAPTCHA or use a CDN that enforces CAPTCHAs in the future What is the main reasoning for using a 3rd party hosted Discourse instance instead of a self-hosted instance? (besides the obvious 'so we don't have to patch and maintain it ourselves') related gitlab ticket: https://gitlab.torproject.org/tpo/tpa/team/-/issues/40183 https://gitlab.torproject.org/tpo/web/team/-/wikis/Plan-To-Launch-Tor's-Forum kind regards, nusenu [1] https://lists.torproject.org/pipermail/tor-community-team/2021-October/000423.html [2] https://gitlab.torproject.org/tpo/tpa/team/-/issues/40183#note_2740700 [3] https://gitlab.torproject.org/tpo/tpa/team/-/issues/40183#note_2749919 [4] https://gitlab.torproject.org/tpo/tpa/team/-/issues/40183#note_2750060 [5] https://gitlab.torproject.org/tpo/tpa/team/-/issues/40183#note_2751283 OpenPGP_signature Description: OpenPGP digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] torproject forum hosted by 3rd party?
Hi Nusenu, Thanks for your concern about the Tor Forum. As I said on my previous emails[1], we've decided to go with their free hosting plan for open source projects. Qubes community also followed that path: started with their free hosting plan and moved to a self-hosted instance. I also pointed that 'information collected' is mitigated using Tor Browser and/or 'mailing list' mode, where you don't need to use the web interface. Gus [1] https://lists.torproject.org/pipermail/tor-relays/2021-October/019940.html [2] https://lists.torproject.org/pipermail/tor-relays/2021-October/019941.html On Fri, Oct 29, 2021 at 04:00:50PM +0200, nusenu wrote: > Hi, > > the Torproject is about to launch the new Discourse based forum next week [1] > https://forum.torproject.net > > With this email I'd like to initiate a discussion on whether it is a good > idea to externalize > hosting of what might become a important platform for the tor community. > > I believe discourse is a great platform, but > I was surprised to learn that the forum is _not_ self-hosted on torproject > infrastructure. > It is hosted by "Civilized Discourse Construction Kit, Inc." the company > behind discourse.org. > That means the torproject does not have full control over the infrastructure > and its security and logging practices. > Discourse's third party hosting also does not support onion services [2]. > > The forum privacy policy mentions that IPs get logged and stored over an > extensive amount of time > https://forum.torproject.net/privacy > As Jérôme pointed out [5] the forum is also subject to discourse's privacy > policy, so maybe it would be good to include a link > to https://www.discourse.org/privacy on https://forum.torproject.net/privacy. > > > Especially since this forum will be used for tor browser support it will also > include people's IP addresses > when they are unable to use tor browser to protect themselves. > > > When you open https://forum.torproject.net in a browser it will fetch > resources from multiple places: > > fonts.googleapis.com (Google) > fonts.gstatic.com (Google) > aws1.discourse-cdn.com > avatars.discourse-cdn.com (proinity LLC, AS44239) > forum.torprojec.net/torproject1.hosted-by-discourse.com (CNAME) Hurricane > Electric LLC > > > To quote Gaba from the gitlab ticket [3]: > > If there is a risk on running this forum outside TPA infrastructure then we > > need to change this and host Discourse in TPA. > > (TPA is the torproject admin team https://gitlab.torproject.org/tpo/tpa/team) > > I agree with Gaba and I'm glad anarcat (torproject admin team) is not totally > against self-hosting [4] even though > discourse is docker based. > > > Self-hosting would also allow for: > > - better domain: forum.torproject.org (the torproject.net domain is basically > unknown and I guess many people > will be confused. I agree with anarcat to use the .net domain when it is not > run on TPA infrastructure) > - no IP logging > - no external resources > - no troubles for tor browser users should discourse decide to enable CAPTCHA > or use a CDN that enforces CAPTCHAs in the future > > > What is the main reasoning for using a 3rd party hosted Discourse instance > instead of a self-hosted instance? > (besides the obvious 'so we don't have to patch and maintain it ourselves') > > > related gitlab ticket: > https://gitlab.torproject.org/tpo/tpa/team/-/issues/40183 > https://gitlab.torproject.org/tpo/web/team/-/wikis/Plan-To-Launch-Tor's-Forum > > > > kind regards, > nusenu > > > > [1] > https://lists.torproject.org/pipermail/tor-community-team/2021-October/000423.html > [2] https://gitlab.torproject.org/tpo/tpa/team/-/issues/40183#note_2740700 > [3] https://gitlab.torproject.org/tpo/tpa/team/-/issues/40183#note_2749919 > [4] https://gitlab.torproject.org/tpo/tpa/team/-/issues/40183#note_2750060 > [5] https://gitlab.torproject.org/tpo/tpa/team/-/issues/40183#note_2751283 > > -- > https://nusenu.github.io > -- > tor-talk mailing list - tor-talk@lists.torproject.org > To unsubscribe or change other settings go to > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk -- The Tor Project Community Team Lead signature.asc Description: PGP signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] torproject forum hosted by 3rd party?
Hi, the Torproject is about to launch the new Discourse based forum next week [1] https://forum.torproject.net With this email I'd like to initiate a discussion on whether it is a good idea to externalize hosting of what might become a important platform for the tor community. I believe discourse is a great platform, but I was surprised to learn that the forum is _not_ self-hosted on torproject infrastructure. It is hosted by "Civilized Discourse Construction Kit, Inc." the company behind discourse.org. That means the torproject does not have full control over the infrastructure and its security and logging practices. Discourse's third party hosting also does not support onion services [2]. The forum privacy policy mentions that IPs get logged and stored over an extensive amount of time https://forum.torproject.net/privacy As Jérôme pointed out [5] the forum is also subject to discourse's privacy policy, so maybe it would be good to include a link to https://www.discourse.org/privacy on https://forum.torproject.net/privacy. Especially since this forum will be used for tor browser support it will also include people's IP addresses when they are unable to use tor browser to protect themselves. When you open https://forum.torproject.net in a browser it will fetch resources from multiple places: fonts.googleapis.com (Google) fonts.gstatic.com (Google) aws1.discourse-cdn.com avatars.discourse-cdn.com (proinity LLC, AS44239) forum.torprojec.net/torproject1.hosted-by-discourse.com (CNAME) Hurricane Electric LLC To quote Gaba from the gitlab ticket [3]: If there is a risk on running this forum outside TPA infrastructure then we need to change this and host Discourse in TPA. (TPA is the torproject admin team https://gitlab.torproject.org/tpo/tpa/team) I agree with Gaba and I'm glad anarcat (torproject admin team) is not totally against self-hosting [4] even though discourse is docker based. Self-hosting would also allow for: - better domain: forum.torproject.org (the torproject.net domain is basically unknown and I guess many people will be confused. I agree with anarcat to use the .net domain when it is not run on TPA infrastructure) - no IP logging - no external resources - no troubles for tor browser users should discourse decide to enable CAPTCHA or use a CDN that enforces CAPTCHAs in the future What is the main reasoning for using a 3rd party hosted Discourse instance instead of a self-hosted instance? (besides the obvious 'so we don't have to patch and maintain it ourselves') related gitlab ticket: https://gitlab.torproject.org/tpo/tpa/team/-/issues/40183 https://gitlab.torproject.org/tpo/web/team/-/wikis/Plan-To-Launch-Tor's-Forum kind regards, nusenu [1] https://lists.torproject.org/pipermail/tor-community-team/2021-October/000423.html [2] https://gitlab.torproject.org/tpo/tpa/team/-/issues/40183#note_2740700 [3] https://gitlab.torproject.org/tpo/tpa/team/-/issues/40183#note_2749919 [4] https://gitlab.torproject.org/tpo/tpa/team/-/issues/40183#note_2750060 [5] https://gitlab.torproject.org/tpo/tpa/team/-/issues/40183#note_2751283 -- https://nusenu.github.io -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk