1. 104
  1.  

  2. 56

    I’m not sure why Free Software was thrown into this. I fully agree with the author’s points regarding the severe lack of privacy associated with discord, BUT I disagree that Free Software can only be developed/supported using communication mechanisms that respect privacy.

    Email is an acceptable choice for Free Software projects, and has been for many decades. Same for IRC. None of those are inherently secure/privacy-friendly.

    Discord is a terrible choice for Free Software projects because it’s a proprietary walled garden, not because it’s ‘not private’.

    1. 21

      BUT I disagree that Free Software can only be developed/supported using communication mechanisms that respect privacy.

      Of course you can develop free software with proprietary tools and services.

      It’s just discriminatory and excludes those who need or want to maintain their privacy. I don’t think free software projects should be discriminatory or exclusionary.

      Email is an acceptable choice for Free Software projects, and has been for many decades. Same for IRC. None of those are inherently secure/privacy-friendly.

      Email and IRC are absolutely privacy-friendly, despite being unencrypted. You can create an entirely anonymous free account and use them, via Tor, just like any other participant and not be excluded.

      From the article:

      Discord is proprietary, non-free software, held closely by a for-profit company. How you personally feel about this is dependent upon your own philosophical views, but, objectively, it is not very consistent with the ideals of most groups dedicated to free software or open collaboration to produce and improve free software.

      It seems to me inappropriate for an organization that believes in free software to choose proprietary and privacy-disrespecting tools when free and private alternatives are readily available and can be hosted very inexpensively.

      1. 20

        Yes, I read the bit about it being proprietary in the article, but the main points being made in the article are not about it being a poor choice because it’s non-free, but because it’s “not private”.

        Anyways, I hope fewer projects choose this path (and slack, which i put squarely in the same boat as discord), and instead choose IRC, matrix, XMPP, and other similar protocols.

        1. 6

          Well, the main reason it’s discriminatory and exclusionary is because of privacy. Not everyone can give up their privacy, so any project using it is discriminating against all of those people.

          Also from the article:

          If you have done so in the past, please stop recommending IRC as a replacement for Slack and Discord. It’s absolutely not. IRC is great, but it is not simply “open source Slack” (that’s Mattermost). They are both chat systems, but they are different tools for different jobs. I love IRC, but it’s simply not a useful tool for most groups.

          Are there any good matrix implementations yet? I’ve been meaning to run one.

          1. 7

            If you have done so in the past, please stop recommending IRC as a replacement for Slack and Discord. It’s absolutely not. IRC is great, but it is not simply “open source Slack” (that’s Mattermost). They are both chat systems, but they are different tools for different jobs. I love IRC, but it’s simply not a useful tool for most groups.

            Yeah.. I disagree with that bit too. All of the Mesa development happens over IRC, and mailing lists (with some moving to gitlab, e.g. patch review). It works really, really great for that. For a (long) while, Mozilla used it. But I guess it wasn’t ‘hip’ enough so they moved to something else (matrix I think?)

            IRC is a very simple protocol, you can implement a client for it very easily, it has been ‘battle tested’ for decades. One of the big missing ‘features’ is accessing the backlog while you are away, and many folks (including myself) use a bouncer on some 24/7 system to fill that gap, but I understand that’s not for everyone.

            Are there any good matrix implementations yet? I’ve been meaning to run one.

            I’m also interested to know this. ~2yrs ago the (only?) homeserver implementation out there was hard to set up, and didn’t scale well at all (something about it being written in javascript? lol). Maybe that’s different now. I’ve yet to see any widespread adoption of E2EE in matrix, for any channels I’ve seen. People tout E2EE as the major reason to use matrix, but basically no one uses it, AFAIK.

            1. 16

              Yeah.. I disagree with that bit too. All of the Mesa development happens over IRC, and mailing lists (with some moving to gitlab, e.g. patch review). It works really, really great for that. For a (long) while, Mozilla used it. But I guess it wasn’t ‘hip’ enough so they moved to something else (matrix I think?)

              Because it works well for some groups does not mean it works well for most groups.

              Mozilla didn’t quit IRC because it wasn’t “hip” enough. They wrote about it when they did it: it wasn’t serving their needs.

              For most groups, asynchronous mobile applications with native notifications and multiclient are hard requirements. Unless you pay for irccloud, you’re not getting any of that. IRC’s “very simple protocol” is actually a hindrance for the majority of users: it means that if you can’t maintain a TCP connection, you can’t maintain an active session. The vast majority of people these days only access social networking via mobile devices. That forces them onto a paid bouncer like irccloud, or into a bad UX. There’s a reason that Slack and Discord are so massively popular. IRC advocates entirely fail to understand those reasons.

              Use of Discord discriminates against all the users who need privacy.

              Use of IRC discriminates against all the users who don’t know screen, znc, and the command line, or users who primarily use mobile phones.

              1. 7

                Use of Discord discriminates against all the users who need privacy.

                But in the context of publicly discussing open source development, I don’t see how you do? So frankly I don’t really see the objection here.

                The other day someone on Reddit was complaining about a Google mailing list not being private. The privacy of what? Your public messages sent to a public mailing group?

                I’m unconvinced by the “you need a telephone” argument; the fact is that spam and abuse are a serious problem, and it’s a reasonably effective at stopping it. I don’t buy the “complete privacy” argument, and I don’t think that they ask it “just to get more data about you”. That’s ignoring the very real problems people have to deal with.

                The “human right” argument seems misplaced. I also have the “human right” to call anyone an asshole here (freedom of speech) or to proselytize my religion (freedom of religion), but that doesn’t mean this platform needs to accept that. Again, the context here is publicly discussing a public project.

                In your article you wrote that “you should be able to use your communications tools to mock and ridicule people, if you so wish”. Seriously? If someone comes in a OSS project to “mock and ridicule people” then I’d kick them out faster than you can say “freedom of speech”.

                The word “privacy” seems to be subject to quite some inflation these days. I think this is a serious distraction from actual privacy issues.

                1. 6

                  The privacy of what? Your public messages sent to a public mailing group?

                  the connection between your web identity and your in-real-life identity. The messages are obviously public but you might not want, for example, your boss to know that “coder_742” is you.

                  1. 2

                    Do people not just make new email accounts for their “alt” identities? Virtually all online services use email as the primary proof of identity and it is trivial to create a new one. Discord requiring an email and an account are hardly barriers to privacy.

                    1. 5

                      They also require your physical location via your IP. If you use Tor or a VPN to preserve your personal privacy, the things that happen (dozens of captchas, frequent inability to log in, DMing links gets your account auto deleted) are huge barriers to entry.

                      1. 1

                        Hard disagree. Tor is very frequently used for spam (among other nefarious things), so it’s no surprise that IPs for exit nodes are blacklisted or put under more scrutiny. If you go out of your way to obfuscate your origin and you behave like a spambot, you’re going to get treated like one. These are good things, it makes the network better for the vast majority of people who use the service. That being said, I use Discord through a major VPN provider all the time and have never had any issues with retaining my session or logging in. Captchas are hardly an issue either, they’re just slightly annoying.

                2. 4

                  Use of IRC discriminates against all the users who don’t know screen, znc, and the command line, or users who primarily use mobile phones.

                  FYI, there are some great IRC clients for Android.

                  Also, ‘discrimination’ is an intentional action, not accidental. When people set out to create IRC, they didn’t scheme in some dimly lit room and decide “we must prevent users who don’t know screen, znc, and command line from using this. Oh, and fuck mobile users too!”. They simply made a thing that lots and lots of people started using.

                  1. 12

                    Also, ‘discrimination’ is an intentional action, not accidental.

                    Nah, you can absolutely discriminate accidentally. An app demanding only five digit US numeric zip codes or ten digit phone numbers that start with a +1 is discriminating against non-US users even if they didn’t intend to.

                    They simply made a thing that lots and lots of people started using.

                    Yeah, in like 1990, for 1990-style programs. Just because there are decent IRC clients for android doesn’t mean IRC’s protocol is good for modern communication. It doesn’t do multi-client, it needs a persistent TCP connection, it doesn’t do multiline or rich text or media, doesn’t have any sort of cryptography, et c. It’s a bad protocol, and it should be left in the past.

                    1. 10

                      You complain a lot, but most of the things you complain about are already solved, or being solved.

                      IRC isn’t dead, it’s a living, breathing protocol, improving every day.

                      And especially mobile usage isn’t that complicated to do right, especially if you treat IRC the way Matrix treats their protocol between homeservers, and have a separate protocol for clients (like e.g. IRCCloud or our own Quassel/Quasseldroid do: https://quasseldroid.info/).

                      It’s being worked on, and it has a major community still using it. Which is a massive improvement over the flavour-of-the-day Slack clone you see elsewhere.

                      Now to get into specifics:

                      it doesn’t do multiline

                      or rich text or media

                      it needs a persistent TCP connection

                      doesn’t have any sort of cryptography

                      1. 14

                        IRC isn’t dead, it’s a living, breathing protocol, improving every day.

                        As a long time IRC user who has monitored the progress of IRCv3 for years, and talks to many of its former developers, I find this hard to believe. Even with IRCv3 efforts, everything was stillborn and many of those developers are sad at how everything passed them by.

                        1. 4

                          These are all open issues or PRs for the past couple of years. ‘These are being worked on’ does not make IRC a viable alternative for the required feature set of today.

                        2. 3

                          it doesn’t do multiline or rich text or media

                          Those are definitely features, IMHO. But I can see there’s no way we can agree here :)

                          I look forward to something like Matrix (if Matrix doesn’t improve), that is FLOSS, lightweight, secure, federated, and easy for all to use.

                    2. 4

                      The official reference implementation, synapse, has been production-ready for a long time and also scales pretty well nowadays. It can be easily hosted on NixOS, there are Docker images and a Debian repository. I have been running my personal Matrix server for 1-2 years now and I never had problems. Just make sure presence is turned off for better performance.

                      E2EE adption has not been as widespread as it should because the UI/UX had been lacking. It’s not that easy to get right for a federated multi-device service. But a few weeks ago that last missing feature to make E2EE usable, cross-signing of devices, got implemented. It is now being integrated and tested and will soon go live. After that all new private rooms will be E2EE by default.

                      Much has happened on the Matrix project in the last years, I suggest you give it another try :)

                    3. 1

                      Are there any good matrix implementations yet? I’ve been meaning to run one.

                      See my comment below.

                  2. 8

                    It’s just discriminatory

                    I’d say it’s exclusionary, not discriminatory. Discriminatory heavily implies it’s on the basis of an immutable category. But project leaders have to dictate to some extent what software their employees will use, and their employees have the ability to use other tools for private communication.

                    You may say the bar to entry for those other tools is higher, but whose responsibility is that? The project leader’s? I think regardless of what you believe, your comment holds the wrong people to account—that is, if blame is even an apt paradigm here!

                    1. 5

                      Tools that spy on us are bad tools. If project leaders chose Discord, and Discord’s policies regarding privacy mean that people who need privacy are excluded from participating in that group, then I think it’s reasonable to say that group leaders should not make those sorts of choices.

                      It’s just the same as if you had a club meeting at a place with a specific dress code that excludes a cultural form of dress. The people who organized the meeting who chose that venue would be legitimately open to criticism (just as would the venue be) for discriminating against people who dress that way.

                      Free software and public benefit groups and projects should not be discriminatory or exclusionary, and they should not make tool choices that perpetuate discrimination.

                    2. 4

                      I care about privacy, but this definition of “exclusive” and “discrimination” is a bit silly. You could say any tool “discriminated against” or “excludes” anyone who doesn’t like it for any reason, and then wag your finger saying, “you don’t want to be discriminatory or exclusive, do you?”. It doesn’t exclude people who care about privacy, we just don’t like it. And as a maintainer, I’d probably elect for the usable tools over those that trade everything for privacy (or more likely, privacy theater).

                  3. 38

                    I sent the link to this post, via DM only, to three of the admins with a short note. Not 10, not 100, not a random project: three of the admins of a project in which I am already a participant.

                    Within 60 seconds of linking these users to my own webpage, Discord deleted my account.

                    No third-party service should be in a position to be deciding for you what your group membership should be allowed to communicate with each other.

                    According to the message, people flagged your DMs. That’s not really “censorship”, that’s removing a member considered disruptive by the community. Frankly, I’d do the same if random strangers started DMing me with “this service sucks, you should use something else”.

                    Regardless of whatever merit your points against Discord may have, it seems you don’t realize just how disruptive your “advocacy” is perceived by many. Going around telling other people what they “should” do is what people mean with “Open Source entitlement” and quite literally why people get burnt out by being an Open Source maintainer.

                    I strongly urge you to reconsider your approach. It will benefit everyone, including yourself since it will be much more effective. It’s a win-win.

                    free software-adjacent teams and groups, such as hackerspaces, art camps, and other DIY undertakings should always question falling by default onto the “buy” side of “build vs. buy”. DIY or die! Run your own!

                    Are you doing to do the legwork and front the server costs, too? “DIY” isn’t about telling what other people should do, it’s about … doing it yourself.

                    If I was unhappy with the communication platform of a project, I’d compile a list of advantages switching would have and offer to help and/or pay. I don’t want to gatekeep “DIY” here, but in my view that’s the “true” DIY way.

                    1. 12

                      According to the message, people flagged your DMs. That’s not really “censorship”, that’s removing a member considered disruptive by the community. Frankly, I’d do the same if random strangers started DMing me with “this service sucks, you should use something else”.

                      Nothing in that email from Discord says people flagged my DMs. I’m also not a random stranger—I am an active participant in that project. I didn’t disrupt anyone or anything.

                      If you read the suspension message carefully, it claims that my account violated the ToS—it did not. It was not the result of messages being flagged. They are using the term “the Discord community” as a stand in for Discord’s automated spam detection, which no-questions-asked censors young/new Tor-created accounts that send three similar messages containing the same link in a short period of time.

                      Regardless, it’s still censorship when Alice tries to privately message Bob and Mallory decides “Bob isn’t allowed to see this message” and prevents it from reaching its destination, leaving Bob in the dark. That’s pretty much the dictionary definition of censorship. It’s my opinion that Alice and Bob should seriously reconsider their choice of association with Mallory in that instance.

                      Regardless of whatever merit your points against Discord may have, it seems you don’t realize just how disruptive your “advocacy” is perceived by many. Going around telling other people what they “should” do is what people mean with “Open Source entitlement” and quite literally why people get burnt out by being an Open Source maintainer.

                      I think perhaps the first line of my post was garbled in transmission. I’m not telling anyone to do anything.

                      I’m telling people what they should not do: that is, don’t discriminate against people who insist on privacy.

                      Choosing to use Discord does that, so people who don’t want to discriminate should not choose to use Discord.

                      I’m also offering them alternatives that don’t discriminate against those people, so that they can make better choices if they decide that they don’t want to be the kinds of projects that discriminate against segments of their userbase.

                      I feel like it’s a little bit of a stretch to go from “please don’t discriminate against and exclude me and others like me from participating”, which is basically the message in my post, to “open source entitlement”.

                      Are you doing to do the legwork and front the server costs, too?

                      I mention on the page that the server costs for such things are on the order of $5 per month for most teams.

                      I’d compile a list of advantages switching would have and offer to help and/or pay

                      There is an explicit offer of expert help at the bottom of the post, including my direct email address and telephone number, and it has been sitting there on the page since before you left your comment. :)

                      I have also donated approximately 5-6 years worth of server hosting expenses, anonymously and in cash, to a local nonprofit I am attempting to convince to switch away from Discord, and have offered to personally manage and document 100% of their migration for free—time for which I would bill a theoretical customer in the mid to high five figures.

                      1. 36

                        Although I’ve been working as a programmer now for many, many years, prior to that I studied, and received a degree in, philosophy.

                        The chair of my department was a Kant scholar, and taught many of the courses in ethics and moral philosophy, and there was a saying he was fond of, to the effect that there are two great traps, or errors, in moral philosophy, which are easy to fall into and difficult to climb back out of. The first trap is concluding that there is no correct moral system. The second trap is concluding that there is, and that you have found it.

                        You appear to have fallen into the second trap, and this has had a negative impact on your interactions with other people. For example, prior to falling into the trap, you likely would have recognized that sending unsolicited messages to multiple people promoting your blog post is behavior that those people – and probably most neutral observers – would consider spamming. After falling into the trap, you are unable to see this. After all, you are bringing them the truth and the light and the good word! You are like Moses, descending from the mountain bearing the commandments: how could it be incorrect to share such an important message with others? Surely it must be the other people who are at fault if they react negatively.

                        My suggestion to you would be to spend some time working on trying to see this situation from the perspectives of other people, rather than only from your own perspective. To help with that, perhaps consider Kant’s categorical imperative, and consider what the world would be like if your approach were to be made universal. Would you enjoy living in such a world, constantly being bombarded by others’ unsolicited manifestos, constantly being ordered by others to stop doing things they consider immoral, and, if you objected, being told that you are the one who is acting wrongly? I do not think you would find such a world to be pleasant, nor would you find it moral. Think on the lesson that example offers.

                        1. 10

                          I’m reasonably sure that I just did read an unsolicited manifesto on morals, when I read your post. It is all too easy to stand on a soapbox and become morally superior to others. And if Moses did exist, and if he really did receive instructions from Jehovah, then we must keep in mind that immediately upon coming down from the mountain, he had a fight with his brother over morals and ethics. (We must also keep in mind that evidence suggests that Moses is mythical and that the Exodus did not really happen. It is all too easy to draw moral lessons from myths.)

                          On Freenode, if I attempt to privately message somebody, and they are not interested in receiving private messages from me, then I am not instantly banned upon my attempt, but instead notified that the recipient has caller ID enabled and will not be receiving my message.

                          In a world where it is universally recognized that Discord is actively interfering with and shaping its user base, perhaps people would not use Discord as often. And that’s all that’s really been asked for.

                          Finally, on morality, let us not forget Pirsig. Pirsig morality is the fact that atoms obey the laws of chemistry. It is the Kochen-Specker theorem and the Free Will Theorem. Pirsig said that humans are morally free to do what they want/will/desire, but that humans are inherently not as moral as the ideas which they espouse. At the low level, there are few degrees of freedom, but they are clear and easy to see; when we get up to the level of humans and ideas, there are so many degrees of freedom that the possible moral actions of humans become a continuous spectral palette of moral positions. The typical moral action of a human is to think, and in thinking, be acted upon by ideas, in order to create an emotional context for spurring physical actions.

                          Why do I mention Pirsig? Because of this Pirsig quote (from memory):

                          It is more moral to kill a man than an idea.

                          On one hand, Discord is moral in their choice to be heavy-handed on reputation and moderation, and even moral in their choice to deliberately delegate moderation so as to make each Discord “server” a small fiefdom ruled by jealous gamer overlords. On the other hand, the author, myself, and others are moral in our choice to speak out against and criticize Discord’s design and actions. I think that we value the idea of not living in a police state and not having our mail read, and this idea contrasts sharply and precisely with what Discord’s tools and staff appear to be doing here.

                          1. 16

                            In a world where it is universally recognized that Discord is actively interfering with and shaping its user base, perhaps people would not use Discord as often. And that’s all that’s really been asked for.

                            OP has admitted now that what actually happened was connecting via a service designed to hide the origin of traffic, and immediately firing off multiple DMs containing links to different users. I would actively refuse to use any service that didn’t at least treat that as highly suspect – the odds of that behavior indicating a spambot are ludicrously high.

                            Unless you and OP truly believe that it is deeply and reprehensibly morally evil – so evil that you yourself suggest homicide as a preferable alternative – to have systems in place which automatically detect and act on patterns of behavior that are overwhelmingly like to be spam, I’m not sure there’s even a case left to make here. All that’s really left of OP’s argument is a set of desired stances for Free software projects, which would inevitably exclude certain segments of the population (but, notably, not the segment OP belongs to, which apparently makes it acceptable).

                            1. 1

                              desired stances for Free software projects, which would inevitably exclude certain segments of the population

                              Which segments do those desired stances exclude? Are you saying that the communication systems that adhere to these desired stances are inherently user-hostile compared to proprietary, more restrictive systems like Discord?

                              1. 1

                                Some of the proposed alternatives (specifically IRC) are much less user-friendly than Discord.

                                To get a feature like chat persistance, the user will have to either

                                • set up a bouncer (usually requires access to a server)
                                • use WeeChat/Glowing-Bear (ditto)
                                • pay for IRCCloud
                            2. 7

                              I’m reasonably sure that I just did read an unsolicited manifesto on morals, when I read your post.

                              Maybe I’m picking nits… but I do believe I’d consider clicking through to a discussion thread about whether a tool is acceptable for those who value freedom and privacy tantamount to soliciting a manifesto on morals.

                              “X is not acceptable for free software” is something that makes me expect that some moralizing and probably at least one manifesto lies on the other side of a link, anyway.

                            3. 5

                              For example, prior to falling into the trap, you likely would have recognized that sending unsolicited messages to multiple people promoting your blog post is behavior that those people – and probably most neutral observers – would consider spamming.

                              Well, it turns out I have an existing relationship with these people. I wasn’t spamming anyone.

                              The people to whom I sent the messages never had an opportunity to object to them. They didn’t flag them. They didn’t even see them. Discord’s software decided that because I was a new user, and I was connecting via tor, and I sent the same link to three different people within five minutes of signing in, I must be a spammer and be silenced.

                              That’s called censorship.

                              Regardless, this is a red herring. The main issue is that choosing to use Discord is exclusionary and discriminatory, regardless of whether they censor messages or not.

                              1. 33

                                Discord’s software decided that because I was a new user, and I was connecting via tor, and I sent the same link to three different people within five minutes of signing in, I must be a spammer and be silenced.

                                That seems like a perfectly reasonable conclusion for their software to draw.

                                1. 25

                                  That’s called censorship.

                                  It really, really isn’t.

                                  1. 1

                                    It absolutely is. Most censorship is not government censorship. It’s also not universally bad: for example, we self-censor to avoid being unkind to others.

                                    1. 15

                                      If your working definition of censorship is so broad as to encompass anti-spam measures like rate limit violations, then let me suggest that it is not a useful definition in this conversation.

                                      1. 2

                                        On the contrary, the fact that legitimate anti-spam measures can be used to block the legitimate sending of messages by people seeking to keep their physical and network location private means that the definition of censorship should definitely include anti-spam measures.

                                        1. 7

                                          Let me make my point in a different way:

                                          because I was a new user, and I was connecting via tor, and I sent the same link to three different people within five minutes of signing in, I must be a spammer

                                          This isn’t “legitimate sending of messages” — it is actually spamming.

                                          1. 3

                                            I don’t think these measures “are being used to block legit sending of messages”, rather, these algorithms block you because your behaviour is virtually indistinguishable from someone sending illicit and abusive messages. Lots of legit email is being blocked by spam filters because the sender lacks DKIM and Reverse DNS, but it’s simply because people not having those is a very sure sign that someone is spamming so you block them without wasting additional CPU on it.

                                            If your behaviour is identical to abusive behaviour then I don’t see why you get a free pass for your behaviour relating to a “righteous cause” like free software.

                                    2. 10

                                      Seems like their spam detection algos are pretty good. Spam detection and prevention (actual spam, not false flags) is one of the shortcomings of IRC and other “anonymous” platforms.

                                      1. 0

                                        If they were pretty good, they would not get such an obvious false positive.

                                        The point was that you should use tools that do not give third parties the ability to read your private messages at all.

                                        1. 7

                                          So, I don’t like when foss communities use discord (or slack for that matter) either. However, what you’re describing - creating a new account via tor and then immediately sending the same message with a link to three people - sounds like exactly what most spammers I’ve seen will do. What makes you say it’s an obvious false positive (from the perspective of spam detection software)?

                                  2. 13

                                    Are you doing to do the legwork and front the server costs, too?

                                    I mention on the page that the server costs for such things are on the order of $5 per month for most teams.

                                    I help run a hackerspace. It has about 75 members and they are all volunteers. We do not have the money for real employees, we do not have on-call support, and it is not uncommon for people to get busy with Real Life Stuff and just disappear for a month or three at a time. If the floor gets swept, it’s because someone decided to pick up a broom and help out.

                                    At a guess, members are about 30% professional techies of various types (engineers, academics, technicians, mostly in non-computer fields), about 40% interesting but non-tech people (that hippie who makes cool laser cut art, the cosplay guy who builds a full Iron Man suit, etc), and the rest are interested amateurs who just like playing with different stuff. There are a grand total of three people there who I would actually trust to run a server people rely on, I’m one of them, and I go there to get away from that shit. We can and do run several servers, but they’re all things like an internal NAS or shop IoT system that are toys to play around with and not essential services. We have a VPS that runs our website and a couple other mission critical things, but only a few people have access to it and working with it is not much fun so usually we don’t touch it.

                                    Chat is an essential communication medium for this place. There was a fire on our block last year and chat was how we notified people and coordinated stuff. For chat we use Slack. Slack is free, it never breaks, and if it does break we don’t have to fix it. It has an interface a child can set up and use, the client never breaks either, and it takes a new member who isn’t a computer guru about 2 minutes to set up an account.

                                    I would love to be able to point people at a Matrix server instead, but last I checked it can’t do all the things Slack can and all the clients I tried were buggy, slow, incomplete, or otherwise unpleasant to use – though this was a year or two ago now, maybe it’s better now. That was the time at which we looked at various chat services and chose Slack though. If we ran a server ourselves, we would need to have someone responsible for babysitting it. I don’t see any commercial services we can buy Matrix hosting from, and a custom managed services setup would probably run $hundreds/month. And even then, we’d have to redo a dozen channels, a couple bots, Google Calendar integration, and get 75 people to switch chat programs.

                                    Maybe we can do this someday. Maybe even someday soon. But the costs are far greater than the $5/month for hosting.

                                    1. 2

                                      I believe Slack can be used easily via Tor, and does not demand a phone number to join a group, so users who need privacy of their personal data (IP/location) would not be excluded from participating in your group.

                                      The risk of logged DMs remains, but that is a smaller risk. Discord is much more censorship-heavy.

                                      Look into Mattermost and a hidden service.

                                      1. 6

                                        Slack includes your email address in the profile, forcibly.

                                        1. 1

                                          You can generate new emails that are not linked to anybody’s account. The article wasn’t about don’t use slack after all, just how it’s not as preferred.

                                          1. 2

                                            And how many users will do that? If privacy preservation is important to you and you want to be a trustable service provider, you can’t have any situation of “the user accidentally omitted that”. Especially as the user must be pre-informed of that behaviour and have the ability to draw this conclusion before using it.

                                            Also, I’m replying to a comment on Slack, so I don’t know what the point about the article is.

                                    2. 7

                                      I have also donated approximately 5-6 years worth of server hosting expenses, anonymously and in cash, to a local nonprofit I am attempting to convince to switch away from Discord, and have offered to personally manage and document 100% of their migration for free—time for which I would bill a theoretical customer in the mid to high five figures.

                                      From the view of a well-managed nonprofit, this reads as: if that person goes away or changes their view on things, there’s the risk of mid high five figures costs.

                                      1. 3

                                        Discord is not yet a profitable company with a sustainable revenue model.

                                        GP has those risks presently, PLUS privacy/discrimination/censorship issues for all of GP’s users.

                                        GP says it’s a volunteer organization. Then you say that someone volunteering to do the work is a risk.

                                        Running communications tools is about 20-40 hours per year. Can management not extract redundant commitments from reliable members to serve as someone’s understudy in the case of disaster?

                                        1. 3

                                          GP says it’s a volunteer organization. Then you say that someone volunteering to do the work is a risk.

                                          Is the mission of this organisation running a chat service? If not, even in a volunteer organisation, the prime goal is that volunteers can work on the mission.

                                          Running communications tools is about 20-40 hours per year. Can management not extract redundant commitments from reliable members to serve as someone’s understudy in the case of disaster?

                                          20-40 hours for a skilled person, especially if you have security standards. Finding someone to keep this server safe and secure and is on-call if it breaks is hard.

                                          There’s a reasons why even collectives that focus on making communication their mission, like system.li shut down their service on major demonstrations to inform people that they cannot be trusted to not be compromised on some level.

                                  3. 15

                                    I’m still seriously surprised that anyone thinks it is an acceptable option for free software projects.

                                    For the VyOS project we are, sadly, using Slack as a primary communication channel. So does FreeRangeRouting. I’m very deeply unhappy to see that a proprietary walled garden is what the users want to use (we still have a channel on Freenode, but it’s almost dead compared to Slack). Still, between proprietary walled gardens, even Slack does a better job as a platform for technical communication than Discord does.

                                    1. 11

                                      I’m still seriously surprised that anyone thinks it is an acceptable option for free software projects.

                                      It should not be forgotten that projects that are big on Discord now have made their decision in the past. First of all, please be aware that Rusts Discord is only one of the potential places where the Rust project chats, there’s also a Zulip instance. No member or working group is mandated to use one over the other, it’s a free choice.

                                      For the Rust project, we had 2 very important points:

                                      • Good mobile support (we use our chat e.g. for sync at events like our all-hands)
                                      • Good moderation support and documentation (and antispam-support)

                                      We tried almost all options under the sun. Slack is out, because it has no moderation support. Multiple products just didn’t deliver messages. Gitter has the tendency to just hang until you reload it. Matrix was unfinished, it has now gotten better.

                                      Discord has pretty good features for managing large communites, e.g. slow mode, where people are only allowed to send messages very slowly and are blocked for a certain time between messages. This is very nice when someone tries to brigade you.

                                      Still, if we were to decided today, the decision might be very different, but back then, practically speaking, Discord was far ahead of any other.

                                      1. 8

                                        I’m told that Gitea uses it, and so does the file archive the-eye.

                                        It’s growing in popularity, which is why I wrote this post.

                                        1. 5

                                          if you are participating in the use of slack for free software projects, you are accepting it and therefore acknowledging it as acceptable in a sense.

                                          1. 2

                                            I’m not defending our use of Slack. My point is that, a) with projects like ReasonML, FRR etc., as a user, my choice is use Discord or Slack or not participate in that community at all b) and worst of all, it’s not always evil/stupid maintainers forcing users to use those proprietary products, but users forcing them to move away from free and open options. The saddest part for me was to see people flock to the Slack channel, most of those were people who were never on the IRC.

                                            1. 3

                                              it looks like ReasonML has a discourse forum (shitty but at least it’s free software), and FRR has a mailing list.

                                            2. 2

                                              Wildly incorrect. If the choice is “participate in open software” versus “don’t participate in open software”, there is an obvious right answer even if it does not 100% match your ideals.

                                              1. 1

                                                is that the choice though?

                                                1. 4

                                                  If there is an open source project that uses Discord, your choice is either use Discord or don’t participate in the community. Those are your only options.

                                                  I guess after that choice you have a choice to just not participate at all or fork the project and hope enough people agree with you, but that’s a completely separate decision that still falls under the “don’t participate in the open source project” option.

                                                  1. 3

                                                    a project that uses Discord will also have a mailing list or some other more open platform, so i still think you are presenting a false choice.

                                                    1. 1

                                                      The project that caused me to write TFA has a Google Groups mailing list (phone number required for Google Account to join) that ~none of the members are subscribed to.

                                                      These days, email has fallen out of fashion. I’m not sure why.

                                                      1. 1

                                                        which project?

                                          2. 12

                                            Is the need to have private conversations the most important part about building open source software? Most of my interactions, as a user, as a contributor and as a maintainer in open source projects happen completely in the open.

                                            • public mailing lists
                                            • public rooms in IRC
                                            • public slack channels

                                            I do occasionally have DMs and use WhatsApp to discuss some sensitive matters with another person. Or send a direct email to someone. But most of the time I want the conversation to be out in the open and indexed. I tend to discourage DMs and redirect discussions back into the open unless strictly necessary. If I had to pick something to complain about proprietary systems (Slack in my case) is that they’re quite terrible at indexing content over long periods of time. Information becomes lost.

                                            There’s something to be said about proprietary tools, but the lack of end-to-end encryption is a odd axe to grind in the context of communities where most communication is totally public.

                                            1. 5

                                              It’s not just message privacy, it’s also geolocation/IP privacy. If you can’t use a service via Tor, doxxing yourself to the hosted service provider via IP geolocation/mandatory phone number is now the cost of entry—even for the public channels.

                                              1. 4

                                                Can I run email or irc over tor?

                                                Maybe my issue with discord and slack over just mailing lists is the monitoring is focused at a single entity. Mail and irc can be scanned and logged but it’s done by multiple ISPs and entities.

                                                1. 4

                                                  Can I run email or irc over tor?

                                                  Yes. There’s been an “OnionNet” IRC network running on the hidden services system for as long as I’ve been following the dark net’s development.

                                                  Now, connecting to clearnet networks from within Tor is a different matter. Most of them block all the exit nodes (probably the only reason OnionNet is usable is because it’s not valuable enough to be worth spamming).

                                                  1. 3

                                                    Yes. I do the latter regularly.

                                                    1. 2

                                                      Yeah! There are several free email services that have hidden services (tor-only endpoints), as well. Most f/oss IRC networks permit use of Tor, as well.

                                                2. 8

                                                  I’m curious -

                                                  in the linked article, you state

                                                  Unrelated to this article: in general, for private messaging, you should use Signal.

                                                  In this thread on this site, multiple people lambast Signal for requiring a phone number, thus impacting anonymity:

                                                  How does this square with your critique of Discord’s lack of affordances for anonymity?

                                                  1. 4

                                                    Signal’s requirement of a phone number was a design decision to permit Signal to not have to store contact lists on their servers. Strangely enough, an attempt at preserving privacy actually front-loaded a small amount of the privacy concerns. It’s a necessary evil in this instance, and one they’re working on fixing. It’s absolutely not used for censorship, though, as it is in the Discord sense.

                                                    You can also easily use burner numbers that are not tied to your identity for Signal. Doing this is a lot harder when the service is using a phone number explicitly as an anti-spam censorship feature, like on Discord.

                                                    Additionally, the phone number used for Signal is only authed once at device login time, and then you can happily connect to the signal service via Tor. No additional hoops are required (such as endless captchas).

                                                    If it’s a dealbreaker, you can always just wait a spell and Signal is going to have other login methods.

                                                    1. 5

                                                      After reading this, I tried signing up for Signal using a data-only SIM card. These have a functioning, though very long phone number in my country which does work with iMessage. Signal refused the number without trying.

                                                      The argument that Signal somehow needs phone numbers while it’s a privacy problem with Discord seems incorrect to me, and I think it’s damaging in any discussion with Discord users, as it gives the strong impression of having double standards.

                                                      1. 4

                                                        In defense of @sneak, he said that the mention of Signal was unrelated to the purpose of the linked post. He was kind enough to expand on questions I had regarding Signal specifically.

                                                        1. 2

                                                          I would let OWS know; that sounds like a bug.

                                                        2. 4

                                                          I’ve never used Signal, but if I undersand it correctly, it uses numbers for an authentication SMS, right? If it does transmit the number to the servers for the auth process, how do I know that it’s not storing it?

                                                          1. 3

                                                            Telephone numbers deanonymize you. Not many realize this, but a telephone number is one instant, low-cost API call to a data broker away from your name, physical address, associated/other email addresses, date of birth, et c. The US has no meaningful privacy or data protection laws. You may think I’m exaggerating, but if you live in the US, right this moment, dozens of companies with whom you do business have already provided data brokers with the complete set of your name, phone number, email address, and street address. These lookups are commonly for sale by API and used by many other companies to detect potential fraud, spam risks, et c.

                                                            Phone numbers are a simple lookup identifier to all of your commonly used personal information. That’s why everyone asks you for them! It’s not to call you. The same goes for your email address.

                                                            I still do not think those well-reasoned objections are compatible with a suggestion to use signal. Even if you firmly believe they only use the phone number for good reasons, once, to authenticate you, they (and any LEOs whose authority they are subject to) are one instant, low-cost API from deanonymizing you.

                                                            1. 3

                                                              You don’t need to use a number that is in any way connected with you.

                                                              Signal’s goal was to get good cryptographic private messaging with a minimal amount of server side metadata collection into the hands of millions of people.

                                                              This would not have been achieved with a different design. Everyone already has phone contact lists. They refused to store contact lists on the server, so phone-as-username was the only option.

                                                              I understand they are working on a privacy-preserving system for those who do not have access to an anonymous phone number or otherwise object to using such.

                                                              1. 2

                                                                You don’t need to use a number that is in any way connected with you.

                                                                Fair enough, but going out and getting a burner phone number feels more onerous and less useful to me than hiding my location using a VPN, when it comes to barriers to participation.

                                                                FTR, I agree with your macro point that discord is best avoided by organizations that care about open participation. I’m just adding that Signal makes me worry in similar ways. I believe the Signal foundation (or even the Signal Messenger company) are unlikely to abuse the information I choose to share with them if I use their tooling, and I believe that their leadership is on the same side as I am when it comes to privacy and censorship. But if inability to reasonably use tor with a product is a dealbreaker, handing out my phone number is a bigger dealbreaker. For the precise reasons you enumerated, coupled with the significantly higher friction to getting a phone number that’s not connected to me as opposed to getting an IP address that’s not connected to me.

                                                                1. 2

                                                                  Totally reasonable! FWIW, I think they are working on a username-based system that allows them to avoid storing contact lists, which is a novel problem and not exactly easy.

                                                                2. 2

                                                                  You don’t need to use a number that is in any way connected with you.

                                                                  There are plenty of jurisdictions where know-your-customer (KYC) rules require showing and recording ID when purchasing a prepaid SIM card (https://www.gsma.com/publicpolicy/wp-content/uploads/2013/11/GSMA_White-Paper_Mandatory-Registration-of-Prepaid-SIM-Users_32pgWEBv3.pdf, map on p. 5). In that case, you’d have to add travel expenses to get a burner phone from another country where they are available, and deal with the roaming charges that come with it.

                                                                  1. 2

                                                                    https://dtmf.io

                                                                    takes bitcoin, has a hidden service :)

                                                                    1. 1

                                                                      The website is down.

                                                              2. 2

                                                                Thanks for clarifying!

                                                                Edit I’m not a user of Signal, but I’ve read up on it in conjunction with the referenced post. I find your explanation regarding the requirements of a phone number plausible.

                                                                I’m fascinated by the stated aversion to Marlinspike’s person. From what I can see, he’s firmly embedded in the culture of security and encryption. It seems his views on open source (specifically for Signal’s codebase) are literally heretical in this context, hence the aversion.

                                                            2. 8

                                                              This is a timely post.

                                                              I used Discord for many years, but recently moved away from it as a chat tool. It just seems like the company goes through an identity crisis every year. First, a chat app for gaming communities, then it was a gaming & streaming community app. Then suddenly, its was a full blown game store, then suddenly it wasn’t anymore, now I heard its moving into anime streaming? And what is with the whole “server boosting” thing? Why not add and develop the basic features that are lacking right now? I have no way to privately speak with my friends, I have no way to bulk clean up my DM (your DMs are forever unless you manually delete them one by one). Even Slack has a message retention setting that an be configured with good amount of granularity.

                                                              At the end of the day, Discord has their target audience, and it isn’t tech people. Its concerning that a FOSS project would chose, what is essentially, a chat app for gamers, to conduct their communication operations.

                                                              1. 6

                                                                This I think is the biggest issue I’d have with choosing Discord - it’s a company without unclear finances, so at any moment your project’s infrastructure can disappear.

                                                              2. 6

                                                                The Discord ToS also limits the use to non-commercial use.

                                                                1. 8

                                                                  The ToS also prohibits the use of third-party (read: non-spyware) clients; users have been banned in the past for this.

                                                                2. 4

                                                                  Are we still having this discussion a year later? I had thought things were getting better since Mozilla decided against Discord for their MozIRC replacement. Perhaps I was a bit too optimistic.

                                                                  1. 4

                                                                    While Mattermost was proposed as a Slack alternative, I think Zulip is worth mentioning as well. I haven’t used it in a while (providing no means to install it on an existing server is extremely off-putting to me), but I can say I found the UX very nice, with their somewhat daring “threaded” model.

                                                                    1. 2

                                                                      Zulip is great, we use it at my company, the Rust project and Ferrous Systems. Definitely consider it.

                                                                      I’m confused by “no means to install it on an existing server”? There’s installation instructions here? https://zulip.readthedocs.io/en/stable/production/install.html

                                                                      1. 1

                                                                        https://zulip.readthedocs.io/en/stable/production/requirements.html

                                                                        To run a Zulip server, you will need:

                                                                        • A dedicated machine or VM

                                                                        The installer expects Zulip to be the only thing running on the system; it will install system packages with apt (like nginx, postgresql, and redis) and configure them for its own use. We strongly recommend using either a fresh machine instance in a cloud provider, a fresh VM, or a dedicated machine. If you decide to disregard our advice and use a server that hosts other services, we can’t support you

                                                                        So, as I said: the development team has simply decided that figuring out how to play nice on servers with other things on it is not a priority. That’s their prerogative, but it doesn’t mesh with the infrastructure I’ve already got.

                                                                        Another caveat I found: If you eschew your own installation, and use their free, public server, note that I was dismayed to discover that the email addresses of all users on that server are publicly accessible. That was very disappointing.

                                                                        But anyway, other than these major CX problems, I found Zulip to be pretty good.

                                                                        1. 2

                                                                          So, as I said: the development team has simply decided that figuring out how to play nice on servers with other things on it is not a priority. That’s their prerogative, but it doesn’t mesh with the infrastructure I’ve already got.

                                                                          I find that a reasonable constraint and am happy that they are upfront about it. You practically can’t support arbitrary systems. That indicates that it still runs on such systems, but they don’t provide support for it. A classic case there would be a distribution taking over the integration work.

                                                                          Especially Redis has nasty habits if you try to run multiple services on it.

                                                                          Finally, I would never consider running a communication product without a thick wall to all other services.

                                                                          1. 1

                                                                            I understand your points, but I am a bit saddened that the software development world has evolved so that I can’t buy a “toaster” and put it to use in my kitchen without requiring there to be no stove, rice cooker or microwave in the same kitchen, and without having the toaster rewire the electrical system of my house to match the wiring in the houses of the developers of the “toaster”. There were days when this was not so.

                                                                            1. 1

                                                                              For me, it’s more akin to not being able to use the one drum in two washing machines, even if its the same model. It doesn’t make me sad at all. Systems come in components, the ability to isolate groups of components is a win.

                                                                    2. 6

                                                                      Great article! But email still remains the best.

                                                                      1. 2

                                                                        There are some great alternatives. I’m not going to tell you to go use IRC like some cranky old Thinkpad-toting unixbeard who doesn’t recognize that mobile apps are a hard requirement for meaningful social collaboration these days

                                                                        The author appears to be unfamiliar with WeeChat and Glowing-Bear, which together give you a very decent mobile experience, despite not being as pretty as Slack or Discord.

                                                                        1. 2

                                                                          I guess this is not entirely on-topic for the thread… but why would motivate using weechat and glowing-bear instead of a client agnostic bouncer like ZNC?

                                                                          1. 2

                                                                            I do use ZNC behind WeeChat. But I’ve never gotten ZNC to work the way I like, which is per-client buffers. I hate that I connect with my phone, get missed messages and then when I connect on my desktop the messages are not there. Of course you can set the option to not clear the buffer, but then you will also get all messages repeated when you reconnect from the same client.

                                                                          2. 1

                                                                            A quick search of the Apple App store seems to indicate these are not available for iOS users.

                                                                            1. 2

                                                                              They are. WeeChat runs in tmux somewhere, Glowing-Bear is a webapp that you can add to your homescreen on iOS. Either you use the webapp hosted by the project (glowing-bear.org) or you set up a static webserver somewhere. Glowing-Bear connects to your WeeChat client-side, it has no server-side logic.

                                                                              1. 4

                                                                                I don’t mean to nit-pick, but both these solutions seem to require the user to host WeeChat on a separate server (the referenced webapp for Glowing-Bear does not appear in their instructions).

                                                                                1. 1

                                                                                  That’s correct. WeeChat works as an irssi-like console client, and it can listen on a TCP port offering a websocket (with or without TLS). The webapp the connects to this websocket and that’s how it does its work. You need both to get IRC on your phone but only WeeChat you must host yourself; Glowing-Bear is optional to host yourself.

                                                                                  Personally I use WeeChat through tmux through SSH from my desktop and laptop. On iOS I have added a self-hosted Glowing-Bear to my home screen, which connects to the websocket offered by the same WeeChat, behind an sniproxy. Took me an afternoon to set up and I have been using it for years now. IRC is now a lower mental barrier than Slack for me.

                                                                                  1. 8

                                                                                    That setup falls firmly into what the OP called “Thinkpad-toting unixbeard” territory, so I don’t think you’ve made your point.

                                                                                    1. 6

                                                                                      As a thinkpad-toting unixbeard, I agree.

                                                                                      We need solutions for people uninterested in recreational sysadmin.

                                                                          3. 2

                                                                            Shouldn’t a ticket tracking system also be listed as an important element of a communication suite for a free software project? In the same way as threaded asynchronous discussion its not supported by discord. A lot of people are using trello which I think is a terrible idea. I would love to hear the author’s suggestions about what the best foss ticket tracker is at the moment.

                                                                            1. 1

                                                                              What’s stopping anyone from scraping any of the public service alternatives you talked about, disrupting all supposed Privacy anyways?

                                                                              1. 8

                                                                                Scraping doesn’t give you someone’s IP/geolocation, login history timestamps/IPs/geolocations, other PII, or DMs.

                                                                                Also, even if it did (it doesn’t), the user could then use Tor to mitigate and preserve their privacy. You can’t effectively use Tor with Discord.

                                                                                1. 3

                                                                                  Geolocation/IP correlation isn’t that difficult when everyone uses the exact same usernames everywhere anyways. It’s highly unlikely, for example, that anyone on the Amethyst Discord is totally “google free”. And all it takes if they aren’t is for them to visit a single link with the necessary tracking pixel, no evil js required. As for secure DM’s, just use Keybase anyways if security is a requirement; I don’t think you should be posting secure anything onto a public board. And using TOR to mitigate all of this with an alternate identity so you can post on a public open source chat room? I don’t know, I just honestly don’t see the threat model, but I do see people using an exit node to evade an IP ban on a public service.

                                                                              2. 1

                                                                                Please avoid mattermost, as it is open core. Matrix is good enough for mozilla. What’s stopping you from using matrix?

                                                                                1. 1

                                                                                  I read this not long after choosing Discord for our game’s public discussion. We chose Discord because the Rust project chose it, and well, it’s pretty.

                                                                                  I ruled out IRC because it has a number of primitive UI features/missing features. For example, no reactions, and no (out of the box) ability to see chat history from before you connected.

                                                                                  I ruled out Matrix because it did not appear to have reactions.

                                                                                  I ruled out Mastodon/ActivityPub because it didn’t have a chatty feel. It was more like twitter.

                                                                                  1. 3

                                                                                    Matrix does have reactions. When did you look?

                                                                                    1. 2

                                                                                      I looked a few months ago. I used a client called Fractal.

                                                                                      1. 2

                                                                                        Yep, and this is the essence of the problem. Matrix is so complex and badly documented/specified that for most purposes, Riot is the only client. Perhaps this will change, but I’ve been waiting for that change for several years already and it’s starting to feel like it’ll never happen.

                                                                                    2. 1

                                                                                      Matrix has reaction support, I’ve seen them on servers I attend

                                                                                    3. -1

                                                                                      Discord is also full of white supremacists, and a lot of people would rather not use it because of that.

                                                                                      1. 9

                                                                                        Do you really believe that? Do you really buy into the neo-nazi hysteria that much?

                                                                                        The same could be said about most platforms out there.

                                                                                        1. 4

                                                                                          There are SOME extremist activity in most platforms, but some like Reddit and Discord have more content and had been used for organizing efforts of these groups. Security Analysts and OSINT people keep an eye on discord, because there is a higher amount of relevant extremist activity there than in most open platforms.

                                                                                          1. 4

                                                                                            Is that more than their size would indicate? I’d assume large platforms like reddit and discord to have a lot of… well, everything. I certainly haven’t noticed it being worse than facebook or twitter.

                                                                                            1. 1

                                                                                              Is Discord centrally moderated like Reddit is?

                                                                                              1. 3

                                                                                                Reddit is the closest analogy, yes. There are local moderators but the platform is the ultimate arbiter.