httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kaspar Brand <>
Subject Re: [Result] Re: [Vote] Add commentary system to httpd docs
Date Mon, 21 May 2012 06:07:42 GMT
On 20.05.2012 14:47, Daniel Gruno wrote:
> This will effectively make for two (or three) new votes for adopting
> each piece:
> - Adopt a privacy policy for the docs and refer to the various tracking
> methods used as they get implemented - see the draft at

Thanks for preparing this draft. As previously stated, I consider such a
policy a mandatory requirement before integrating any tool into which systematically processes user data [1].

The section "Additional tracking by third parties" of the draft
currently says: "The Apache HTTP Server project makes use of additional
third party tools, such as the Disqus commentary system, which itself
may apply visitor tracking for internal purposes."

In the interest of an early declaration, let me say that I'm (rather
strongly) opposed to running the project's site in a way that requires
us to have such a generic disclaimer in the privacy policy, for several

First, my expectation would be that an ASF project, and in particular
ours, is able to run the infrastructure of those features it considers
essential for its operations on its own. It's true that some other
projects are using Google Analytics, but this doesn't mean that others
should follow this practice, IMO.

Second, I see several technical issues when integrating third-party
tools which basically rely on JS code being injected into the HTML on "surreptitious" tracking is one of them, but it's also
problematic from a security point of view: by pulling in JS from remote
URLs we expose our visitors to the risk of running untrusted code in the
context of our site. (As an aside: having to turn off JS for as a whole, as - rightfully - suggested in the draft
privacy policy for effectively turning off GA, would have the collateral
damage of disabling the newly-added syntax highlighting as well, which
seems quite unfortunate.)

Third, *iff* we really decide to do user tracking on,
it should at least be opt-in, not opt-out, in my view (i.e., we should
e.g. make sure to honor "DNT: 1" headers before pulling in JS tracking
code, and ensure that visitors agree to being tracked before we do so).

> - Implement the Disqus commentary system for the docs - see the proposal
> at

In the meantime I skimmed over its Terms Of Service [2], and it took me
only a short time to identify several elements which made me quite worried:

a) User Content: Disqus is granted a "a royalty-free, sublicensable,
transferable, perpetual, irrevocable, non-exclusive, worldwide license
to use, reproduce, modify, publish, list information regarding, edit,
translate, distribute, syndicate, publicly perform, publicly display,
and make derivative works of all such User Content" etc.

b) Changes to the service: "We may, without prior notice, change the
Service; stop providing the Service or features of the Service, to you
or to users generally; or create usage limits for the Service."

c) Advertisements: "You agree that Disqus may include advertisements
and/or content provided by Disqus and/or a third party (collectively
"Ads") as part of the implementation of the Service."

This just a small sample of rules I consider highly problematic, and to
be honest, they pretty much rule out the option of using Disqus on, I think.

PHP's system, on the other hand, uses an approach [3] I'm completely
comfortable with: no dependencies on third-party sites, comments are
covered by a Creative Commons license, and do not rely on any remote JS
code or so.

> - Implement visitor tracking for the docs so we can improve on them -
> see proposal at

I would highly prefer Piwik over the others (or more generally: a tool
we run ourselves, not a third-party service).


[1] see also
and other messages in that thread, e.g.



View raw message