-
-
Notifications
You must be signed in to change notification settings - Fork 1.8k
This issue was moved to a discussion.
You can continue the conversation there. Go to discussion →
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Inclusion of Self-hosted Software #3476
Comments
Is this restriction on "self-hosted software" written down anywhere that I can read? Mind linking?
|
IMHO, yes. Modular software architecture is good and should not be punished. Obviously, also for closed-source (not self-hosted) sites, they could have a similar architecture and you would not know. Or consider closed-source self-hosted software, like forum software (e.g. #1296) belongs to this category, too.
Despite being claimed that this is done, it actually is not. See #3550 for a potential fix.
Actually, that is the big point why it made no sense to not include these in the first place. For the end-user they are just usual websites…
Well… you usually know. I mean we all have an intuitive understanding of the term "self-hosted", I think. Apart from that, I would however argue that it does not make any difference, because it actually does not. GitLab is e.g. self-hostable and already included, so what…?
Even for closed-source projects this information is usually easily available. (there is a public plugin website or so…) Or you e.g. just look at some bigger instances or whatever… |
@rugk thanks for continuing the conversation. I think that every single site on the internet that allows anyone to create accounts should be included in the data set. Creating arbitrary rules for reasons to include/exclude publicly available websites does not make sense to me. The only reason that I have heard to date (sorry, cannot find the issue/comment) is related to the rule of only allowing sites in the Alexa top 200k and that reason was that it is difficult to manually review the PRs. While I certainly realize that everyone here is volunteering their own time and not getting paid for this, the maintenance burden of the data set can be significantly reduced using automation, so I do not think that is a convincing reason to avoid adding all publicly available sites to this data set.
If I understand this correctly, the argument is that if someone is using a framework to host a forum site and they then use a third party plugin for that framework to provide 2FA to their users, then that should not be allowed into the data set. If that is the argument, then I strongly disagree with it. Also, I challenge anyone to prove that a site is using such a third party plugin to provide 2FA in less time than it would take to simply review the PR and add the site to the data set. If it takes more time to enforce these rules about which sites can be included in the data set and which cannot, then I am not at all understanding the purpose of said rules. |
@conorgil Be my guest and go through these points on any PR in this repository:
Reviewing PRs takes a long time. Automation helps but automation can’t help with everything. If we are to list every single site on the Internet then we’d need a crew similar to size of Google’s employee base. Sadly we don’t have that luxury. We have around 10 people maintaining the project and around 2-3 active maintainers each week. Because, you know... life and such. The 200k rule is made to limit the maintaining burden of the site. Before we had that rule, many sites would be added and then removed a month later because they simply stopped working/responding. Regarding the forum exclusion: Regarding third party plugins, if there are multiple plugin that provides 2FA, which one are we supposed to list? Your goal for our site might differ from our goal. For better or worse, that’s not the case with forums. They’re often too niche to have a competitor. If you have another vision for our site then that’s fine. We have forks of this site providing things that are out of our scope and as long as they comply with our MIT license then we’re happy to have them. I hope this answers some of your questions. Regards, |
I think the "Alexa top 200k" is okay, so we can drop all that "maintenance" discussion. This rule was introduced for exactly that reason… |
Clarification proposal: the Alexa rank of the self-hosted solution should be of the software vendor but not the instance. I found this thread because I wanted to make a PR to include self-hosted email service sendy (whose rank is 150k-ish) but wasn't sure whether it would be appreciated or not. My own instance of that software doesn't reach that rank though 😅 |
Trying to square the circle of 2factorauth#3476 and 2factorauth#3550 regarding self-hosted sites.
To whom it may concern: |
@kmpoppe Your criteria sounds good (as it e.g. makes a reasonable trade-off by allowing "first party" plugins), but this still does not change the fact that directly before your change in the PR, it is written that self-hosted services are explicitly excluded. |
@rugk Thanks for your reply. Yes, it says that self-hosting is excluded. My hope is, that people that intend on contributing to this project would go about reading everything that's written down in the ReadMe/Contributions/Exclusions and will, therefore, read what criteria we allow to include self-hosted sites. I can only ask you to, for now, consider our position on that we have decided to use this way to keep the project clean. Currently, the active maintainers have not decided on dropping this requirement, literally @RichJeanes, who is part of this group and OP of this issue, proposed the lifting criteria I built into the page. We are in a very fortunate situation that this project is actively maintained by a dedicated group of people. This allows us to make decisions on a relatively broad base of people. I ask you to trust us that we do not reject changes to this policy purely out of bad intentions. // Kai |
Then do change the paragraph before anyway, to explain that you allow exceptions or only "major" self-hosted software or so. |
Having stumbled upon the PR at #3550 again (hi, @Gargron we seem to have talked about Mastodon and why it is not included here) due to someone™ making some scientific survey about FLOSS software including that exact PR, I'd like to ask what the current status here is? In any case, I still don't see Mastodon or Nextcloud being listed on the website. |
Actually, it's tied for 4th place with a few other issues, though that's not saying much when it only takes 3 +1's to do so... |
Stumbled upon this issue as I figured Mattermost (open-source Slack alternative) isn't listed here. I looks to me like it's a very relevant thing for twofactorauth to support FLOSS web projects (thus, hosted) by having them listed. To feed the discussion about inclusion/exclusion rules, maybe things like https://trends.builtwith.com/websitelist/Mattermost could help to complement the Alexa rule. Also, probably some additional bits of info need to be given to the end-user, like checking the instance version against the latest stable version listed in twofactorauth. |
This issue was moved to a discussion.
You can continue the conversation there. Go to discussion →
Currently, we have a blanket exclusion of self-hosted software on the list. I believe this restriction should be lifted with specific requirements.
The text was updated successfully, but these errors were encountered: