Hey @Patrick, I’m curious – what are your thoughts on Discourse after 3 years of use?
security: no opinion
My org is looking at using Discourse, but I saw a huge red flag when skimming their install guide, which included the command:
wget -qO- https://get.docker.com/ | sh
Really bad indeed.
Many if not most popular webapps are similar to that. If you choose to
only use these with best security practices, you’ll be severely limiting
usability, thereby productivity, thereby the overall success.
There would be a command which makes it partially more secure.
I’d very much like to hear the perspective of the security-focused Whonix team on the security (and other aspects) of self-hosting Discourse.
Package manager security, file verification security and other auxiliary
attack vectors such as clock related security issues are not on the
radar of many even security focused projects. For example hardened
gentoo goes serious about enabling security hardening compile flags but
then is sloppy about package manager security.
Should uncheck / remove / disable allow_username_in_share_links once that becomes available in the stable version of discourse so username isn’t added to the link when using the forum’s “share a link” feature.