I ended up using Reddit for blog comments:
1) a good commenting interface
2) many existing users with accounts
3) a low barrier to a signup for those who don't (you barely even need an e-mail address)
4) an API
The downside right now is that you have to leave the page to comment, but I don't think it's a big deal. It probably lowers engagement a little, but I find that the most commens happen on other aggregators like HN, no matter which service you use for comments.
I also use reddit's RSS feeds, since a few people asked for that.
Reddit has its share of immature users and a culture of snark, but my subreddit has managed to steer clear of that.
Some people intentionally do this to the comments on their old posts, to avoid having to monitor them for spam and abuse.
I could have sworn I had seen a few articles a couple of years back saying reddit was getting into the embedded comments game like Facebook and Disqus, but I haven't seen them around anywhere.
Maybe I'll play with this during our company hackathon next week.
If it's a new project, I wouldn't worry about the extra click until you start getting some comments (yeah I realize it's a bit circular, but true). My experience is that you will get comments from the aggreggators that the traffic came from, e.g. HN. And maybe Twitter and Facebook.
Most people aren't used to posting comments on websites anymore. But I do get a few comments on Reddit, and it has been worth it.
> Even in your own subreddit, just submitting links to your own site/stuff can get you banned 
It's what leads to people getting shadow banned and not understanding why
> For unauthenticated requests, the rate limit allows you to make up to 60 requests per hour. Unauthenticated requests are associated with your IP address, and not the user making requests.
In this case, all the comments for an issue are returned with a single API call, making the limit a nonissue (unless someone is binge-reading more than a post a minute)
Also, it may be a good idea to sanitize the comment.body_html. That seems XSS abuseable.
GitHub handles sanitizing comment HTML automatically. They use a fairly strict whitelist of tags/attributes that are allowed through. Anything that's not allowed gets escaped.
I'm not aware of rate limits for individual repos. I think they can set it up if they want but it's not enabled by default. I remember a package manager hammering GitHub with anonymous requests that they limited but that was a special case.
The one issue that jumps to mind is for CGNAT'ed users if that rate limit is for site wide un-authed requests. CGNATing cell users is pretty popular here in the UK.
I'm not affiliated with the site, I've just used them for comments on one static github hosted blog post.
I would be interested to hear about Google / Azure cloud alternatives.
I've done something similar with my blog.  It's not using Disqus or any heavyweight 3rd party solution for comments.
Instead, I've created something very simple, similar to GitHub Issues frontend UI and backend, and used that. The backend is completely pluggable (it's an interface ), so it can be implemented by talking to real GitHub API , or any custom implementation you want. My blog uses a simple JSON files implementation, so I can avoid a heavyweight database dependency.
Oh, and I've also implemented reactions. Not just 6, all of them. 
I do use GitHub for authentication though, I don't want to make people come up with yet another password.
What surprises me is disqus didn't even give a shit about the page's loading time in an effort to violate users privacy and trust.
Disqus, If you are reading this thread, shame on you!
Their pricing page clearly says the free version is ad supported, paid versions can turn off ads.
The person making such a market cannot make a living out of it without automation unless the blog comes off the bat with millions of viewers (think top YouTube channel content creators who get sponsorship). With automation comes the need for tracking.
Almost always this has a highly enforced anonymity - since the behavioral signal is more valuable than knowing who exactly you are.
This is obviously not a designed feature of GitHub API and it feels like an abuse of GitHub service.
This is creative, and if your blog is hosted via GitHub Pages, then using Issues to discuss the content is not far-fetched at all.
While GitHub may keep silent now as there are not many people doing this, if in the future the "hacks" become more popular, we could see GitHub taking a stance on this.
I certainly hope GitHub can gives some explicit consent to these use cases, which could lead to an entire set of new services that GitHub can offer (like what Google is doing currently).
Why not stand up a Discourse instance for your comments? https://meta.discourse.org/t/embedding-discourse-comments-vi...
Worth noting that hackers who use workarounds like this are doing it for the fun and since it looks like an unmonetized personal blog, OP presumably would prefer not having a monthly bill for servers.
For any serious project, I agree that discourse is a great option or maybe a custom built comments solution depending on the use case.
Still he is right, the price for a free service is to be tracked to the right, left and center...
It's nice to have the content and the comments handled by the same provider, so that they are available under the same circumstances.
Discourse may or may not be good system but I find it sad that it has such huge requirements compared to old school php forums like phpbb, smf, vbulletin etc...
You can embed your comments as needed... customize / configure Discourse as needed... it's easy to work with (even across pages hosted on different URLs -- if you can set a Canonical you can call the right comments)... easy to add signups to your CRM... my clients running this setup have been very happy with it.
Disqus... you leave the site, you leave the branded design, to create an account and sign in... it's trash for real sites.
GitHub... seems like shoehorning in something not quite right. "Paint the cat orange and call it a tiger..."
Any idea what causes the difference?
I see many, though certainly not all, of the same trackers there. Also yours seems to load much faster even with all the trackers.
Found this: https://blog.disqus.com/protecting-users-privacy-on-disqus My browser didn't send a DNT header with the request though. The blogpost seems to be a bit of a joke when comparing it to the list of trackers reported by pingdom.
I'll definitely look for a Disqus replacement :)
I'm sad that didn't take off, it was so handy.
There's a free demo here: https://apps.sandstorm.io/app/2m8rty615fcj11z2u5674s8a74yv48...
I think the one tweak I need to make is keeping a copy of the blog index in the README.md for the main project. That way watching the project will effectively provide notification of new content.
A one-click setup simple enough for non-technical users.
Instructions should be along these lines:
1. Sign up for AWS if you haven't already got an account
2. Generate a keypair and run our setup/load our template/whatever (I'm a bit hazy on AWS automation but I would imagine there's a fairly obvious way to do this. The new CodeStar thing looks like it might fit the bill)
The service would use Lambda and DynamoDB to to handle storing/serving the comments. Costs would be fairly minimal for low-traffic sites.
Rough guess is that this would be no more than a few days to a couple of weeks work for someone. Am I over-optimistic?
So either someone does this to scratch an itch or we fund it via Patreon/Kickstarter.
Nevermind. It's not an idea, it's a real product.
You're gonna have a very hard time if you want to run instances, lambda and dynamodb in the cloud only to run a blog with comments. First, it's really complex to setup, even for an experienced dev. Second, it's gonna costs a ton of money and you'll be at the mercy of your traffic.
> First, it's really complex to setup, even for an experienced dev.
The whole point of the idea was that the setup would be templated. That's why I spelt out the steps I envisaged the end-user having to perform. Did you miss that part?
> Second, it's gonna costs a ton of money and you'll be at the mercy of your traffic.
This depends on traffic and my hunch is that it would be quite affordable for most low/medium traffic blogs. Lambda is dirt cheap and Dynamo has a very generous free allowance. Also see the suggestion below and my reply. The comments section would only need to be generated when a comment was posted and the html fragment could be stored in a free CDN.
If any of this is not automatable it fails as an idea, because configuring AWS requires a colossal amount of effort from someone who hasn't already used it.
There is no way to set a budget for AWS.
there is no a feature that allows you to configure a limited budget on GCE. This feature is certainly available for GAE
Azure: it's possible for certain subscriptions, but not for pay-as-you-go. Sounds like there are political motives at work, not technical ones.
What exactly is supposed to happen when the billing limit is hit? Delete everything? That's the only way to actually stop billing completely and I'm not sure who would actually want that.
Disqus without ads and without real-time comments is pretty fast, but those days are long gone and they're also full of spam. It's also such easy spam to catch that it feels like they just stopped caring and are cashing in as long as they can.
Also why not just use Gists? I've seen a few people use them as a standalone blog pages with markdown files, and it also has an API available.
Would be perfect if it supports an external database and not only sqlite.
You can see a working proof of concept / mvp today.
I don't know if Disqus requests so much tracking. Currently, I am setting up a personal blog and looking for a comment system for it. There are two choices: Disqus and Twitter. Why? Disqus is free and easy to put it to whatever blog platforms you use and Twitter is free too, I think many people have it. After reading this, I think GitHub is not a good place to give a comment because somebody who doesn't have account must register first. I am talking about "non-developer" reader.
Does anybody here use Twitter as a blog comment system? I would like to know your experience since some of people usually use it for their blog.
For sufficiently motivated adversaries, even a custom UI isn't enough of a roadblock.
Is it really realistic to expect advanced attacks on CAPTCHAs with visual recognition or Mechanical Turk? I think you'd have to be a very high value target. I wrote a little PHP captcha when I was 15 and I've been using it ever since, and I never got any spam on my (admittedly very low-traffic) sites.
I actually wanted to implement visual perturbations based on perlin noise, but I really never got around to doing that. Would be an exciting little project.
Also, if a site asks me to use someone else's credentials to comment, I probably won't bother. Why should my hobby-coding account on Github, or my spam-catching account on Gmail, be linked to your blog about philately or bird-watching?