How can I tell if a particular distribution of the Discourse client is free software?

For people who want to avoid running nonfree software, how can we tell if the software that a website gives us for accessing a forum powered by Discourse is free software?

Without the JavaScript client software, the forum appears to be read-only, so I want to run the JavaScript on the website, but I see no indication here on Discourse Meta or on for example the Purism Forums (also powered by Discourse), that the client software is free software. Some of the script files have links to source maps, but the source maps I checked did not have any license information.

I found an older topic that mentions “There is only one version of Discourse – the awesome open source version.”, but then I also found a topic that suggests that suggests that the CLA may allow for proprietary versions, but it has no examples of proprietary versions.

One Discourse instance that does show licensing information is the FSF members forum (only accessible to members I think), which links to the GitHub Discourse repo, an FSF git repo, and the GitHub repo for an extension, but this information is only shown after the client software is already running, so it’s not very useful for deciding whether to run the program in the first place.

Is there a way for me to figure out whether the client software served by a Discourse instance is free software without actually running that software? Or even if I do have to run the software, how would I get the full licensed source code of the client software for a Discourse instance? Surely the original discourse GitHub repo isn’t always sufficient, since people may have modified the software before redistributing it?

Alternatively, is there a different Discourse app that doesn’t download software from the servers it connects to?

1 Like

Discourse is open source, so using it is free. Hosting, by own or using CDCK, will cost.

Search is discourse free gave this:

Sure it is. And de facto the only source to use.

4 Likes

My guess is you can’t.

Some installs will be hosted and have proprietary bits in the hosting stack.

Self hosters would be foolish not to use the standard install because that’s the cheapest to support.

One thing you might find is some sites might use proprietary/private plugins which the platform allows you to install at the admins discretion.

5 Likes

I am confused by this statement. Are you saying that people who host Discourse do not modify the software before redistributing it?

People are known here the team or as a company CDCK. Of course they do, every day. Itnis under constant development. And yet that is what we are using.

This may open that question:

2 Likes

Your mention of plugins made me think if there’s a way to check the version information, and I found this topic that describes how to get the version information.

So I can see, for example, that this instance is using commit 276bc8a565389ea1a145af08ec8e64c1a5bea990, the FSF member forum is using commit 7ecaf6295daf8759aa98d00e7035c4dc0f853303, the Purism forum is using 999aaa35a79ae7c586a91de1f6c1f7b3c8092bd2, and the Exercism forum is using commit 1bd9ca11e777f880462ae64c6795ef7de28a8cd2. All of those are valid commits in the official repo, so I guess the instances have not modified Discourse itself (though they may have added plugins).

I think that leaves plugins and themes. It looks like maybe you can see the name of the plugins by looking for “data-discourse-entrypoint” attributes in plugin scripts, but I don’t see a version identifier. Do you know of any way to get the list of installed plugins?

You could look at the javascript packages to get a clue, but any amount of plugins might be installed in the back end away from prying eyes.

2 Likes

What I meant by “modify the software before redistributing it” was that people who redistribute the software on public websites, like forums.puri.sm for example, could modify their version without submitting changes to the main git repo. If they made an agreement with Discourse, they could release those changes as nonfree software, separately from the main Discourse git repo.

The velocity of changes to the main repo is so high it would be expensive to keep a fork viable.

That is exactly why plugins are a popular solution for extensions.

4 Likes

Big if and I don’t believe that would happen — and what agreement, Discourse is open source. But CDCK better that knows. I reckon out there is some forks, but are those in production… I doubt that. But as Robert said, why when things can be done with components and plugins.

2 Likes

So I guess the only way to check plugins might be to:

  • Set up my own Discourse instance
  • Try to install the same plugins as any remote instances I want to interact with
  • Check to see if the plugin JavaScript is the same on my instance vs their instance

I guess I could also try to avoid running the plugin software entirely, and only use the scripts that are part of Discourse itself.

Of course, I don’t have a way to check their backend, but I only care about the client software when I’m connecting to someone else’s server.

Maybe you are also interested in safe mode, which disables JavaScript customizations.

2 Likes

No. You cannot see what is happening on the server. There may be many changes that are not exposed on the public API or very hard to decipher.

A layman is not privy to what is going on in the server.

3 Likes

I think this, combined with the version information is enough to use arbitrary Discourse distributions while avoiding running nonfree software. One can check that the commit is in the official GitHub repo and then either make sure safe mode is always enabled or only “whitelist” (in a tool like LibreJS) scripts that appear when using safe mode.

No. It is not. It only disables client side changes.

3 Likes

The client-side changes are all I care about because I won’t run the server code on my computer.

If I was going to run a Discourse server, then I would choose which plugins to install and just not install plugins that are missing a license.

When I’m connecting to someone else’s server I’m expected to run the software they give me, which might not have a license in a easy-to-find place.

I think most installs will have predictable sets of plugins. But not all. You will never know unless you become a privileged admin of the site.

2 Likes

To make sure I understand correctly: if a change is not client-side, then that means it will not affect the code that a normal user (i.e. not an admin) of the Discourse distribution will run. Is that correct?

run but not be subject to in the processing of any information they may interact with.

a server could, in the background, send all your details to Facebook and get paid :wink:

2 Likes