How would you make a comment system decentralized? Like where would they be stored? Genuine question by the way, I'm not familiar with decentralized computing.
Presumably the comments would be sharded and encrypted. Then each those chunks would have a hash generated for it, and each chunk would be stored as transactions on a blockchain, or more likely multiple blockchains for redundancy.
This is how the blockchain storage companies do it.
Decentralizing Disqus is trivial. Just go back to each blog has its own local comment system with commenter identities disconnected from all other sites they comment on or even anonymous. There's no reason you need a single global identity and storage backend for all content sources that support commenting.
It can even be otherwise identical to Disqus except self hosted.
Comments need moderation. The blockchain/decentralization ain't great for moderation... And not everything has to be "discoverable" (= have a public database)
Unless you're fine with re-inventing known best-practices ofc.
decentralization is totally fine for moderation, it works fine in Mastodon for example, you can moderate out entire instances
for a commenting system you could do something nearly identical... each site is its own commenting instance, and you can federate profiles. If a user accumulates bans or flags across instances you could choose to add them to a shared blocklist that other instances can opt-in/out of... it's not too hard to imagine.
Being decentralized is orthogonal with moderation. You can for example allow people to post to some rooms that represent the blog posts threads, and keep yourself as admin and moderator there.
Cactus isn't really the fediverse though: I consider (maybe mistakenly) the so-called fediverse to be broadly activitypub-based, while cactus leverages Matrix.
Can I suggest you add something of an architecture diagram/flowchart od the website? Just a little something that illustrates what the frontend talks to, where the data is stored, that sort of thing?
Thanks for you feedback! I will add a `how it works` in the document later. But I'd like to answer your question here first.
Since Cusdis was designed for self-hosted, the data should be stored in your own server. The Docker image provides both sqlite and pgsql options. Then the comment widget that embed in your web page talks to this server through a http call, which fetch all the approved comments and display them.
The "Try it now" is a demo server that I've hosted for the people who want to just look around what is it look like, it's not scalable and shouldn't be used in production yet. It run in my vps on Digital Ocean, data is stored in this vps with a pgsql instance.
Not to put you down, but I think you should differentiate yourself well from Discourse (https://github.com/discourse/discourse), as it is pretty popular with the open source communities.
Hi. Discourse is a discussion platform (forum), while Disqus and Cusdis are comment widget that embed to existed website (like embed in blogs). I think they are not the same.
Discourse is heavier as a forum, certainly, but it supports embedding in sites as a comment section, and will generally do useful things like "automatically create a new topic of discussion from the post."
I agree that it's exceedingly heavy for comment only use (and generally requires user accounts), but if you're trying to build a community that also has blog posts, the two do integrate very nicely.
The edit box doesn't seem to indicate what sorts of markup, or "url looking thing is converted to link", etc, is available. Might be good to have a little help box to explain what's allowed/supported, even if that's just text.
Edit: I now see the "support markdown" commit. You might want a "preview" button so people can see what they have. At the moment I see only a "Post Comment" button.
Also, does it understand the concept of canonical urls so that pages that are the same one, but with different urls, share the same comments? I searched the repo for "canonical" and didn't see anything.
You can enable JavaScript in Chrome the following way:
1) On your computer, open Chrome.
2) At the top right, click More. Settings.
3) Click Privacy and security. Site settings.
4) Click JavaScript.
5) Turn on Allowed (recommended).
Commento doesn't work. I tried to integrate it with my site a while ago. Didn't work. Got some server error. So I tried to contact the guy behind it. He didn't respond.
I'm the guy behind it. Was this with commento.io or were you self-hosting? I'm truly sorry it didn't work out, but if you want to shoot me another email, I promise to respond this time.
So there's a whole bunch of improvements actively going on the behind-the-scenes (essentially a Commento v2) and I hope to announce things soon. I know support has been lackluster and I intend to turn that around too. It's certainly not dead :)
> So I tried to contact the guy behind it. He didn't respond.
Did you buy support from the author? As the author of an unrelated open source project, I receive an enormous amount of messages from people feeling entitled to receive support for free on the pretext it's open source. Answering and following up on those message could well be a full time job in itself except it doesn't pay for my bills
I am sure the creator of Commento is happy you are here exacting vigilante justice against his customers for their imaginary entitlement.
I signed up for a free trial of his commento.io service, and immediately tried to integrate it with my static site.
When I ran into difficulties (bad responses from commento.io) I contacted support.
If I had got it working, I would have gladly paid him, and I would still be paying him.
I think I was within my rights to request a modicum of support during the free trial period for a paid product, and then to not pay for it when I did not receive a response.
In this context, I find your story about some open source project you have to be quite irrelevant.
Coral is definitely more focused on larger communities than it is for smaller sites. Mainly because of the multi-tenant, multi-site, and moderation features that allow it to be used for larger organizations!
(We're also hiring to work on this open source project!)
I would suggest that always show on screen the label of the input, is not a good practice put the label inside the input and make it disappear when the person start typing.
Absolutely. I was curious to see this practice encouraged by a document about UX design and the linked page actually lists all sorts of drawbacks for it and encourages using labels at the top or at the left of the input (right aligned to make the label close to the input).
I have been tinkering about the idea of building open source disqus alternative for few months now. I guess I missed the train already:D Do you have any plans to monetise this?
That's a train with a busy time table. Every software engineer who ever wrote a comment on the web, got an idea how to make our better at some point. And it isn't a problem with a high barrier to entry.
The interesting, for me, part is the antispam. It is also silly hard, for obvious reasons. A big part of why Disqus is hard to replace is that they're doing a great job with it. Only once you clear that bar, you can think of successful monetisation.
Monetization can also be a problem if you don't provide enough tiers for users (same as any hosted web analytics alternative to google analytics).
I.e: my blog has like... 200 visits per month? I don't have comments right now - only link to twitter/reddit - but I expect I would have a dozen comments per month, tops. At this point I don't even care about anti-spam, but if a tool asks me $10 a month, I can't justify paying it. Make it $1 and I'm in.
I worry about the echo chambers people are subjecting themselves to when something with applicability as general as a commenting widget requires a GitHub account to sign in. That's narrowing it down to a subset of a subset of one's audience.
It's a trade-off. GitHub comments are free and rather easy to set up and maintain. If I had a highly developer-centric blog or even a blog supporting an open-source project, using GitHub as comments is a perfectly fine solution. But sure, this solution is limiting your target audience.
The main advantage to Disqus (and other hosted solutions) is that their spam protection applies across all comment sections. You'll never get that with an open source solution.
Sadly not anymore. There are click farms in third world countries that will solve 10 captchas for a penny. Not to mention how many people will just not leave a comment if presented with a captcha.
reCAPTCHA v3 just gives you a score, and you have to decide what to do with it. This means that you should never under any circumstances use reCAPTCHA v3 as a gate with no alternative—otherwise you will certainly be preventing real users from using the system with no recourse, which will regularly have at least theoretically dire legal consequences.
Also, I get the impression that reCAPTCHA v3 is waaaaay less smart than people think. At a small scale, it’s near trivial to tweak your browser so it’ll give scores at opposite ends of the spectrum.
It doesn't appear automatically, it's programmable [1], you as a developer decide what to do with a low score, you could ask for extra verification for example. I agree with the tracking and privacy issues with ReCAPTCHA.
You’re confusing multiple badly named products by Google. You’re thinking of Invisible reCAPTCHA rather than reCAPTCHA v3.
reCAPTCHA v2 is the “I’m not a robot” checkbox widget followed by challenges if Google doesn’t like you.
Invisible reCAPTCHA is reCAPTCHA v2 but the site initiates verification instead of the user being given an “I’m not a robot” checkbox widget to click; but if Google doesn’t like you, it’ll still trap you in the purgatory¹ of puzzle solving. Site operators can then blame Google, for all the good that does. “Invisible reCAPTCHA” is a bad name for the product, because it’s not invisible.
reCAPTCHA v3 never presents a challenge for you to solve, but decides a score (in practice, I’ve only seen 0.1, 0.3, 0.7 and 0.9) where higher means Google’s feeling more friendly towards you, and it’s up to the site operator to decide what to do with that score—whether to simply deny access to people that Google doesn’t like (catastrophically bad and widely illegal, as it blocks legitimate users with no recourse) or to do something else. But now the liability for blocking real people is clearly with the site operator and not Google. But of course far too many people will ignore Google’s “don’t gate on this alone” direction and just see the higher version number and assume it must be better than reCAPTCHA v2. “reCAPTCHA v3” is a bad name for the product because it’s not a CAPTCHA, as there’s no challenge; it’s straight fraud detection.
They shouldn’t have called it a “challenge” there. It’s not a challenge; it’s just executing the verification function. Chalk up another one for harmfully incorrect terminology. (Admittedly “verification” is also an overloaded term, as it gives you a token which your backend subsequently needs to verify.)
(As they confirm near the start of the document, “reCAPTCHA v3 will never interrupt your users, so you can run it whenever you like without affecting conversion.”)
Not to rely on it, but I've implemented ReCAPTCHA v3 on a couple of websites and got under the impression spambots are detecting and skipping websites who have implemented it altogether.
Abuse is an arms race, so I'm not certain it can entirely be "open source". Someone has to man the servers to adapt as the assault develops. There can be tools that are open source, but without a foundation that is running services, it's just a bunch of dead end code.
Absolutely. I agree the key is less code than rapidly updated data. Source networks, browser headers, client behavior, target links, content markers. Spammers may be awful, but some of them aren't stupid. IF they discover something isn't working, then they'll change up their approach. And it can't be an open service, because you're just helping the smart ones to hide better.
Disqus has passable spam and toxicity detection (the latter via a third party) but many sites don't bother to make use of it. As a result a great many disqus comment sections are absolute cesspools of spam, bigotry, and threats of violence.
The main thing is training a model. Every time you mark something as spam or off topic, it trains a model so that it can identify similar things in the future. You can train your own model, but it will work better with a lot of data.
Open sourcing it would be hard, because you'd have to trust everyone else to classify things correctly, or you'd have to review every input yourself. A spammer could easily sneak in a lot of false positives or false negatives to throw the entire model off.
Why is spam score always weighted as a single outcome and never as a population-based result? I mean, you’re processing more data, I get it, but it feels like that would be a model much more resilient to tampering, bad actors, and just different social norms.
For example, if one set of users started rating a specific subset of posts as spam, then those users could be bucketed together into a “doesn’t want to see message type A” group while others, who minded other messages, would be bucketed into a “No B-messages” group.
This would need to be applied selectively, as it could easily result in an echo chamber for normal discourse, but I would’ve given my left arm to have that sort of filtering available in the game during my WoW days. Those city spammers were unbearable!
I, of course, would have fallen into the “I don’t care how great a deal your Thunderfury, Blessed Blade of the Windseeker, is, I’m just here to socialize” bucket.
> Open sourcing it would be hard, because you'd have to trust everyone else to classify things correctly, or you'd have to review every input yourself.
There's not a way you could choose which people/groups you trust (and don't) to classify spam correctly? Don't open source adblockers work like this?
Don't they use some reasonably reviewable methods, like regular expressions? And, more importantly, reviewable volumes? Also, an ad blocker can always have a debug mode, where it can show you a rule that removed the element.
With ad blocking you have none of that. Gigabytes of text go into training, kilobytes of inscrutable numbers go out. And all the debug info you get is how certain the computer sounded saying no.
Also one account where I can see all the comments I've left on the various sites with their replies. And if I feel like it, I can easily remove old comments - even after my nickname and/or email changed, I've deleted all my cookies and/or got a whole new system. I just need to be able to log into my Disqus account. And the site I'm commenting on doesn't know my email address.
You could use a closed source spam protection API from an open source project. Best of both worlds. Oh that is actually what Wordpress does with Akismet
When i click on "try it now", then click the browser's back button when seeing "log in with github" I and up at https://cusdis.com/dashboard and get a 500 error page.
175 comments
[ 3.1 ms ] story [ 236 ms ] threadhttps://komento.host/
https://news.ycombinator.com/item?id=26840855
Like, if I am the only one pinning (and storing) the data, everyone downloads it from me correct? Why not just use a regular storage at that point?
This is how the blockchain storage companies do it.
It can even be otherwise identical to Disqus except self hosted.
https://github.com/tessalt/echo-chamber-js
Unless you're fine with re-inventing known best-practices ofc.
for a commenting system you could do something nearly identical... each site is its own commenting instance, and you can federate profiles. If a user accumulates bans or flags across instances you could choose to add them to a shared blocklist that other instances can opt-in/out of... it's not too hard to imagine.
See https://cactus.chat, which is on the Matrix network.
https://conf.tube/videos/watch/d8c8ed69-79f0-4987-bafe-84c01...
https://cactus.chat/ https://news.ycombinator.com/item?id=26371813
https://carlschwan.eu/2020/12/29/adding-comments-to-your-sta... https://news.ycombinator.com/item?id=25570268
Can I suggest you add something of an architecture diagram/flowchart od the website? Just a little something that illustrates what the frontend talks to, where the data is stored, that sort of thing?
Since Cusdis was designed for self-hosted, the data should be stored in your own server. The Docker image provides both sqlite and pgsql options. Then the comment widget that embed in your web page talks to this server through a http call, which fetch all the approved comments and display them.
The "Try it now" is a demo server that I've hosted for the people who want to just look around what is it look like, it's not scalable and shouldn't be used in production yet. It run in my vps on Digital Ocean, data is stored in this vps with a pgsql instance.
I have a plan to migrate the pgsql to a DigitalOcean managed database.
I've been using RemarkBox for the last couple of months and like it. It's privacy respecting, hosted, pay what you want.
https://www.remarkbox.com/
https://www.remarkbox.com/remarkbox-is-now-pay-what-you-can....
Discourse is a "forum". Not the same thing.
I agree that it's exceedingly heavy for comment only use (and generally requires user accounts), but if you're trying to build a community that also has blog posts, the two do integrate very nicely.
says MIT.
Edit: I now see the "support markdown" commit. You might want a "preview" button so people can see what they have. At the moment I see only a "Post Comment" button.
Also, does it understand the concept of canonical urls so that pages that are the same one, but with different urls, share the same comments? I searched the repo for "canonical" and didn't see anything.
I browse the WWW without JavaScript and this bricks many comment systems. Are you planning to make a widget without reliance on JavaScript?
1) On your computer, open Chrome. 2) At the top right, click More. Settings. 3) Click Privacy and security. Site settings. 4) Click JavaScript. 5) Turn on Allowed (recommended).
Other browsers might have similar instructions.
I only turn on JavaScript to be able to use the website of my bank.
isso: https://github.com/posativ/isso
juvia: https://github.com/phusion/juvia
But cusdis looks great so far!
For a commenting system, that sounds more like a feature than an issue to me.
https://commento.io/
https://gitlab.com/commento/commento
It's dead, as far as I can tell.
So there's a whole bunch of improvements actively going on the behind-the-scenes (essentially a Commento v2) and I hope to announce things soon. I know support has been lackluster and I intend to turn that around too. It's certainly not dead :)
Also would love for it to be easier to match the CSS to the host site.
Was running it self-hosted on Cloudron but would be happy to try the paid, hosted product if it worked for me.
I actually sent you two emails.
I will send you another one.
Last commit is last month
> So I tried to contact the guy behind it. He didn't respond.
Did you buy support from the author? As the author of an unrelated open source project, I receive an enormous amount of messages from people feeling entitled to receive support for free on the pretext it's open source. Answering and following up on those message could well be a full time job in itself except it doesn't pay for my bills
I am sure the creator of Commento is happy you are here exacting vigilante justice against his customers for their imaginary entitlement.
I signed up for a free trial of his commento.io service, and immediately tried to integrate it with my static site.
When I ran into difficulties (bad responses from commento.io) I contacted support.
If I had got it working, I would have gladly paid him, and I would still be paying him.
I think I was within my rights to request a modicum of support during the free trial period for a paid product, and then to not pay for it when I did not receive a response.
In this context, I find your story about some open source project you have to be quite irrelevant.
You can even deploy it relatively painlessly. A little googling brought up an ansible playbook to set it up with minimal configuration: https://github.com/kathawala/commento-ansible-playbook
Do you have a tutorial for that?
See https://docs.coralproject.net/coral/v5/integrating/cms/ to get an idea of it's use.
(We're also hiring to work on this open source project!)
Example: https://miro.medium.com/max/700/1*tjzXjhViDt3ArR1zUkFiRw.png
From: https://uxdesign.cc/best-practices-for-form-design-ff5de6ca8...
Hope can help.
Do not use placeholders for labels please.
The interesting, for me, part is the antispam. It is also silly hard, for obvious reasons. A big part of why Disqus is hard to replace is that they're doing a great job with it. Only once you clear that bar, you can think of successful monetisation.
I.e: my blog has like... 200 visits per month? I don't have comments right now - only link to twitter/reddit - but I expect I would have a dozen comments per month, tops. At this point I don't even care about anti-spam, but if a tool asks me $10 a month, I can't justify paying it. Make it $1 and I'm in.
Also, I get the impression that reCAPTCHA v3 is waaaaay less smart than people think. At a small scale, it’s near trivial to tweak your browser so it’ll give scores at opposite ends of the spectrum.
There are better alternatives like OOPSpam API that gives a score and works in the backend so no interaction with the user.
[1] https://developers.google.com/recaptcha/docs/v3#programmatic...
reCAPTCHA v2 is the “I’m not a robot” checkbox widget followed by challenges if Google doesn’t like you.
Invisible reCAPTCHA is reCAPTCHA v2 but the site initiates verification instead of the user being given an “I’m not a robot” checkbox widget to click; but if Google doesn’t like you, it’ll still trap you in the purgatory¹ of puzzle solving. Site operators can then blame Google, for all the good that does. “Invisible reCAPTCHA” is a bad name for the product, because it’s not invisible.
reCAPTCHA v3 never presents a challenge for you to solve, but decides a score (in practice, I’ve only seen 0.1, 0.3, 0.7 and 0.9) where higher means Google’s feeling more friendly towards you, and it’s up to the site operator to decide what to do with that score—whether to simply deny access to people that Google doesn’t like (catastrophically bad and widely illegal, as it blocks legitimate users with no recourse) or to do something else. But now the liability for blocking real people is clearly with the site operator and not Google. But of course far too many people will ignore Google’s “don’t gate on this alone” direction and just see the higher version number and assume it must be better than reCAPTCHA v2. “reCAPTCHA v3” is a bad name for the product because it’s not a CAPTCHA, as there’s no challenge; it’s straight fraud detection.
—
¹ Some hold it’s hell, rather than purgatory.
As @j3th9n mentioned, reCAPTCHA v3 does have challenge and you can invoke it based on a score.
https://developers.google.com/recaptcha/docs/v3#programmatic...
(As they confirm near the start of the document, “reCAPTCHA v3 will never interrupt your users, so you can run it whenever you like without affecting conversion.”)
Talk about a useful open source chunk of software.
Open sourcing it would be hard, because you'd have to trust everyone else to classify things correctly, or you'd have to review every input yourself. A spammer could easily sneak in a lot of false positives or false negatives to throw the entire model off.
For example, if one set of users started rating a specific subset of posts as spam, then those users could be bucketed together into a “doesn’t want to see message type A” group while others, who minded other messages, would be bucketed into a “No B-messages” group.
This would need to be applied selectively, as it could easily result in an echo chamber for normal discourse, but I would’ve given my left arm to have that sort of filtering available in the game during my WoW days. Those city spammers were unbearable!
I, of course, would have fallen into the “I don’t care how great a deal your Thunderfury, Blessed Blade of the Windseeker, is, I’m just here to socialize” bucket.
There's not a way you could choose which people/groups you trust (and don't) to classify spam correctly? Don't open source adblockers work like this?
With ad blocking you have none of that. Gigabytes of text go into training, kilobytes of inscrutable numbers go out. And all the debug info you get is how certain the computer sounded saying no.