openSUSE admin

dirkmueller wrote:

the forums.opensuse.org discourse currently has "onebox" previews enabled for all domains. this carries the risk that a plain link done by a forum member to a n external webpage can create a preview/thumbnail of a picture on the page. this thumbnail is hosted and served by the discourse software, which means opensuse participates in potentially hosting images that we have no licenses for.

hence the recommendation to disable the setting "enable inline onebox on all domains" and enable it only on domains that we consider safe (e.g. opensuse or suse.com for example).

Making a change like this is a pretty big ask. I would like SUSE legal to weigh in on the risk here, especially as the openSUSE forums are not the only system of this kind that use this method of displaying links - it's common enough that users are used to it, so changing it is a change to the overall experience.

The change wouldn't be retroactive - the way Discourse works is it "bakes" the message HTML into a database field, so changing it wouldn't remove oneboxes from across the entire forum. Every single message would have to be checked by the software and "rebaked" in order to remove the oneboxes.

Currently, there are over 1.2 million posts that the system would have to evaluate and update; doing so would likely have a measurable impact on system performance while it was running.

I understand that it will not change old posts. I was not asking for doing this retroactively. It wouldn't change the situation anyway. I was asking to avoid for changing the setting to not have this issue going forward.

I hear you that there might be other places doing the same. Feel free to point them out, I am not aware of them. The issue is for me discourse specific because it does a deep copy of the thumbnail and serves it from the hosts. Most other solutions that I'm aware of either fetch it via javascript from the original site or link the original site, which are not an issue.

Thinking about it, a similar issue could happen on our mediawiki instances. Overall this is just a risk/benefit/cost balance. The risk on a forum post is rather high compared to a wiki page, and the effort to turn it off is minimal (one checkbox to click, plus 'save'). On the other hand, the cost of violation is a financial risk that SUSE can not carry. if you want to finance copyright violations on the forum in some other way, please go ahead. SUSE can not cover it, hence my kind request to turn this functionality off to lower the financial burden.

from https://copyrightaid.co.uk/forum/viewtopic.php?t=3589

Put simply, if you only link to a site where an image is legally hosted that is permissible, even though it may appear that the image forms part of your site. The critical thing is that the must not be hosted on your own site

the existing discourse implementation does exactly that. please turn it off. it is a single button click.