#116 Gogs is still fetching from Gravatar

Open
opened 1 year ago by zPlus · 15 comments
zPlus commented 1 year ago

Gogs is still fetching pictures from

  • local server
  • libravatar
  • gravatar

See example. Is it possible to disable Gravatar and only allow the first two options?

Gogs is still fetching pictures from - local server - libravatar - gravatar See [example](https://notabug.org/Amin). Is it possible to disable Gravatar and only allow the first two options?

It appears that libravatar falls back to using the gravatar cdn if it can't locate an avatar. I'm not sure if we can turn this off.

It appears that libravatar falls back to using the gravatar cdn if it can't locate an avatar. I'm not sure if we can turn this off.
zPlus commented 1 year ago
Poster

If it's not possible to disable Gravatar, I think at this point it would be easier just to disable Libravatar as well. What do you think? Does NAB need Libravatar?

If it's not possible to disable Gravatar, I think at this point it would be easier just to disable Libravatar as well. What do you think? Does NAB *need* Libravatar?

during the upgrade i had noted some of the logistics of this feature on a related discussion on this topic --> bill-auger/gogs#4

in short - gravatar fetching is disabled by the default when 'OFFLINE_MODE' is set becuase the semantics of 'OFFLINE_MODE' is that no 3rd-party site will be contacted - hp must have over-ridden this in order to fetch libravatars

if libravatar falls back to fetching from gravatar for any user that does not have a libravatar then this is actually over-riding an upstream feature that i think notabug had originally requested

as noted on the previous discussion the fact that notabug did not call out to 3rd-party servers (until recently) was among it's more attractive points for some users

during the upgrade i had noted some of the logistics of this feature on a related discussion on this topic --> https://notabug.org/bill-auger/gogs/issues/4 in short - gravatar fetching is disabled by the default when 'OFFLINE_MODE' is set becuase the semantics of 'OFFLINE_MODE' is that no 3rd-party site will be contacted - hp must have over-ridden this in order to fetch libravatars if libravatar falls back to fetching from gravatar for any user that does not have a libravatar then this is actually over-riding an upstream feature that i think notabug had originally requested as noted on the [previous discussion](https://notabug.org/bill-auger/gogs/issues/4) the fact that notabug did not call out to 3rd-party servers (until recently) was among it's more attractive points for some users
zPlus commented 11 months ago
Poster

as noted on the previous discussion the fact that notabug did not call out to 3rd-party servers (until recently) was among it's more attractive points for some users

yes, although libravatar support was also added because more than a few people asked for it (and it looked like a good idea). However, I think that if libravatar regularly redirects users to wp.com and gravatar.com and there isn't a simple workaround to prevent this, we should probably disable libravatar and support local avatars only.

> as noted on the previous discussion the fact that notabug did not call out to 3rd-party servers (until recently) was among it's more attractive points for some users yes, although libravatar support was also added because more than a few people asked for it (and it looked like a good idea). However, I think that if libravatar regularly redirects users to wp.com and gravatar.com and there isn't a simple workaround to prevent this, we should probably disable libravatar and support local avatars only.
strk commented 11 months ago

libravatar.org is falling back to gravatar.com but the libravatar support in Gogs can be configured as for which service to use if the DNS lookup fails. IIRC it is still using "GRAVATAR_SOURCE", so set it to notabug.org/some_service (a libravatar service?) to disable gravatar.com completely.

I'm happy to help fixing any limit in the implementation (I've done the go-libravatar module specifically for use in Gogs).

libravatar.org is falling back to gravatar.com but the libravatar support in Gogs can be configured as for which service to use if the DNS lookup fails. IIRC it is still using "GRAVATAR_SOURCE", so set it to notabug.org/some_service (a libravatar service?) to disable gravatar.com completely. I'm happy to help fixing any limit in the implementation (I've done the go-libravatar module specifically for use in Gogs).
strk commented 11 months ago

For the record, libravatar discussion is in #55

For the record, libravatar discussion is in #55
zPlus commented 11 months ago
Poster

@strk Are these the options that have to be changed? Should they be changed to something like this

[picture]
AVATAR_UPLOAD_PATH = data/avatars
GRAVATAR_SOURCE = 
DISABLE_GRAVATAR = true
ENABLE_FEDERATED_AVATAR = true

@hp is hp/gogs (master branch) the one currently running on notabug.org? I'm confused because libravatar is clearly working, but app.ini says "false"

@strk Are [these](https://notabug.org/hp/gogs/src/master/conf/app.ini#L257) the options that have to be changed? Should they be changed to something like this [picture] AVATAR_UPLOAD_PATH = data/avatars GRAVATAR_SOURCE = DISABLE_GRAVATAR = true ENABLE_FEDERATED_AVATAR = true @hp is hp/gogs (master branch) the one currently running on notabug.org? I'm confused because libravatar is clearly working, but [app.ini](https://notabug.org/hp/gogs/src/master/conf/app.ini#L257) says "false"
strk commented 11 months ago

GRAVATAR_SOURCE will be used by the libravatar support (IIRC) as a fallback if the DNS has no entry for serving avatars, appending /avatar/<hash> to the url.

I think the default is "libravatar", which means requesting avatars from libravatar.org if DNS has no entry. In turn libravatar.org redirects to gravatar if it doesn't recognize the hash, unless (to be confirmed) a ?default=something is added to the request.

The quickest "fix" for the issue reported here would be to set GRAVATAR_SOURCE to some url under notabug.org, to have full control over what to serve as avatars for those who do not have one.

A better fix would be defining a behavior and discussing it in a Gogs ticket upstream (feel free to mention me there if you take this path).

`GRAVATAR_SOURCE` will be used by the libravatar support (IIRC) as a fallback if the DNS has no entry for serving avatars, appending `/avatar/<hash>` to the url. I think the default is "libravatar", which means requesting avatars from libravatar.org if DNS has no entry. In turn libravatar.org redirects to gravatar if it doesn't recognize the hash, unless (to be confirmed) a ?default=something is added to the request. The quickest "fix" for the issue reported here would be to set GRAVATAR_SOURCE to some url under notabug.org, to have full control over what to serve as avatars for those who do not have one. A better fix would be defining a behavior and discussing it in a Gogs ticket upstream (feel free to mention me there if you take this path).

Gogs has this notion of a 'custom' config which lives in custom/app.ini. This file is not in version control as it contains some secrets, like the database password and other keys.

Gogs has this notion of a 'custom' config which lives in custom/app.ini. This file is not in version control as it contains some secrets, like the database password and other keys.
zPlus commented 11 months ago
Poster

Sorry @hp I completely missed that custom/ config

Sorry @hp I completely missed that `custom/` config

going over some of the old issues - the example in the OP is still fetching from gravatar

i would like to say again that before the time of this issue it was among the more attractive points for some users the fact that notabug did not call out to ANY 3rd-party servers - AFAIK the 3rd-party scripts are all hosted served locally now and this is the only feature that is still doing that

aside from the privacy concern, i suggest that it would be better to have no photos at all than to rely on a 3rd-party for them but it is not necessary to go to such an extreme - gogs allows users to upload their own photo so it is not necessary to disable photos completely - both gravatar and libravatar fetching could be disabled and still the avatars feature would not be lost

going over some of the old issues - the example in the OP is still fetching from gravatar i would like to say again that before the time of this issue it was among the more attractive points for some users the fact that notabug did not call out to ANY 3rd-party servers - AFAIK the 3rd-party scripts are all hosted served locally now and this is the only feature that is still doing that aside from the privacy concern, i suggest that it would be better to have no photos at all than to rely on a 3rd-party for them but it is not necessary to go to such an extreme - gogs allows users to upload their own photo so it is not necessary to disable photos completely - both gravatar and libravatar fetching could be disabled and still the avatars feature would not be lost
zPlus commented 2 days ago
Poster

@bill-auger as far as I remember, it's libravatar itself that redirects to gravatar if it doesn't have the requested picture. So the only remaining option I think, is to disable both gravatar and libravatar, and only keep the option to upload pictures. These should be the relevant settings.

@bill-auger as far as I remember, it's libravatar itself that redirects to gravatar if it doesn't have the requested picture. So the only remaining option I think, is to disable both gravatar and libravatar, and only keep the option to upload pictures. [These](https://notabug.org/hp/gogs/src/master/conf/app.ini#L284) should be the relevant settings.

yea either that or close this issue - i was mostly looking into getting these old issues closed - this is one of the few that we actually can handle (or decide not to) without bothering the upstream

yea either that or close this issue - i was mostly looking into getting these old issues closed - this is one of the few that we actually can handle (or decide not to) without bothering the upstream
strk commented 1 day ago

it is possible to request a default on "not found" to the libravatar service to get a local image if none is registered there. OR (even better) it is possible to configure Gogs not to request anything to libravatar.com if DNS doesn't have an entry.

it is possible to request a default on "not found" to the libravatar service to get a local image if none is registered there. OR (even better) it is possible to configure Gogs not to request anything to libravatar.com if DNS doesn't have an entry.
bill-auger commented 1 day ago

that would be an improvement but i still say there is no good reason to contact ANY external service when gogs is already fully capable of providing that very same functionality locally

the only argument for this would be "yea but people are too lazy to upload a photo no notabug" - but they were not too lazy to upload a photo to gravatar or libravatar? - to require users to manually upload photos imposes zero additional burden on them - firstly it is a non-essential feature that they may not even care about - secondly it takes more time to type your avatar email address into the gravatar field then it takes to simply upload a photo - so in reality uploading the photo manually is a time-saver and the "im lazy" defense is invalid because either task takes less than 5 seconds

also the per-user setting for this is completely inverted IMHO - each user decides whether all OTHER users will fetch their photo from notabug or libravatar or gravatar - this is absurd from a privacy viewpoint - it clearly was not implemented from that viewpoint - that setting should control whether or not YOU want to contact the external services to get ANY other peoples avatars

there was one other option presented some time ago to have notabug fetch remote avatars when the selects the remote avatar option and convert them into gogs native avatars - that could work also but i'm not convinced that it is worth the effort

that would be an improvement but i still say there is no good reason to contact ANY external service when gogs is already fully capable of providing that very same functionality locally the only argument for this would be "yea but people are too lazy to upload a photo no notabug" - but they were not too lazy to upload a photo to gravatar or libravatar? - to require users to manually upload photos imposes zero additional burden on them - firstly it is a non-essential feature that they may not even care about - secondly it takes more time to type your avatar email address into the gravatar field then it takes to simply upload a photo - so in reality uploading the photo manually is a time-saver and the "im lazy" defense is invalid because either task takes less than 5 seconds also the per-user setting for this is completely inverted IMHO - each user decides whether all OTHER users will fetch their photo from notabug or libravatar or gravatar - this is absurd from a privacy viewpoint - it clearly was not implemented from that viewpoint - that setting should control whether or not YOU want to contact the external services to get ANY other peoples avatars there was one other option presented some time ago to have notabug fetch remote avatars when the selects the remote avatar option and convert them into gogs native avatars - that could work also but i'm not convinced that it is worth the effort
Sign in to join this conversation.
No Milestone
No assignee
4 Participants
Loading...
Cancel
Save
There is no content yet.