Hacker News new | past | comments | ask | show | jobs | submit login
Replacing Disqus with GitHub Comments (donw.io)
534 points by indy on April 21, 2017 | hide | past | favorite | 121 comments

The slowness and chattiness of Disqus were the first things I noticed about it too. I'm disappointed that a YC company is resorting to that.

I ended up using Reddit for blog comments:


Reddit has:

1) a good commenting interface

2) many existing users with accounts

3) a low barrier to a signup for those who don't (you barely even need an e-mail address)

4) an API

The downside right now is that you have to leave the page to comment, but I don't think it's a big deal. It probably lowers engagement a little, but I find that the most commens happen on other aggregators like HN, no matter which service you use for comments.

I also use reddit's RSS feeds, since a few people asked for that.

Reddit has its share of immature users and a culture of snark, but my subreddit has managed to steer clear of that.

There is another big (in my eyes) downside to using Reddit for such purpose: Reddit threads are automatically archived after six months, at which point no new comments can be added to them. Of course nothing stops a user from creating a fresh thread, but that leads to fragmentation of comments and if you want to somehow mitigate this, it introduces additional effort.

> Reddit threads are automatically archived after six months, at which point no new comments can be added to them.

Some people intentionally do this to the comments on their old posts, to avoid having to monitor them for spam and abuse.

That also eliminates monitoring them for valuable contributions, especially on evergreen content.

You can always make a new thread, treating reddit as a normal forum.

Too much work

Disqus was a lot better before they spent a bunch of time and money building out live updates. Does anyone actually like that feature? Having posts move down the screen at random intervals as you're trying to read them is incredibly frustrating. Every time I have to click "pause live updates" I wonder why not just turn that off for good.

Me to. Having clicked that like 50 times a turn off permenantly option would be cool.

I'm using Facebook comments for a new project I'm starting, but I would really prefer to be using reddit. Has anyone seen a way to embed reddit comments onto a web page that isn't too hacky? -iframes, etc. I have a subreddit created for my site already, but I really don't want to just link to the discussion pages like you're doing.

I could have sworn I had seen a few articles a couple of years back saying reddit was getting into the embedded comments game like Facebook and Disqus, but I haven't seen them around anywhere.

Reddit dev here. I made one of our current oembeds. I have thought for a while that it would be neat to offer one for a subreddits top posts. A comment tree embed would be cool too. I don't know if mods would be fans of it letting users add comments from it though.

Maybe I'll play with this during our company hackathon next week.

I wish Reddit would embrace commenting and could compete with Disqus. I think bloggers especially have more trust in reddit, if would work fast and doesn't load a lot of crap like disqus it would bring a good chunk of new users to reddit and also be beneficial to bloggers themselves.

I can see this creating more headaches for moderators. It's already difficult enough to get people to read the rules before posting.

I imagine embeds would be enabled/disabled per subreddit so mods wouldn't have to deal with it if they didn't want to. A blog that wants to add comments from Reddit would start their own subreddit.

Auto mod. Headaches for mods don't exist because it's just a website and not a job.

As a former moderator of a default subreddit, I don't think you know what you're talking about here. AutoMod is a useful tool but can only implement basic rules—it's more a supplement to human moderators. And people of course care about things that aren't their jobs.

I think it's possible to write something using the Reddit API, but I didn't look into it:


If it's a new project, I wouldn't worry about the extra click until you start getting some comments (yeah I realize it's a bit circular, but true). My experience is that you will get comments from the aggreggators that the traffic came from, e.g. HN. And maybe Twitter and Facebook.

Most people aren't used to posting comments on websites anymore. But I do get a few comments on Reddit, and it has been worth it.

Is there any risk of a subreddit getting banned by the spam filter because all posts link to a single domain?

I don't think so. There are subreddit (ab)used for even sillier thing than that: see RedditStorage[1] for example.

[1]: https://github.com/rossem/RedditStorage

Nope, you are free to do whatever with your own subreddit, e.g.:


It's actually still against the rules

> Even in your own subreddit, just submitting links to your own site/stuff can get you banned [0]

It's what leads to people getting shadow banned and not understanding why


Disqus has an API too. That's probably the easiest way to remove their JS from your website.

It's worth noting that GitHub has a very strict rate limit for unauthenticated calls (https://developer.github.com/v3/#rate-limiting):

> For unauthenticated requests, the rate limit allows you to make up to 60 requests per hour. Unauthenticated requests are associated with your IP address, and not the user making requests.

In this case, all the comments for an issue are returned with a single API call, making the limit a nonissue (unless someone is binge-reading more than a post a minute)

Also, it may be a good idea to sanitize the comment.body_html. That seems XSS abuseable.

> Also, it may be a good idea to sanitize the comment.body_html. That seems XSS abuseable.

GitHub handles sanitizing comment HTML automatically. They use a fairly strict[1] whitelist of tags/attributes that are allowed through. Anything that's not allowed gets escaped.

Is the rate limit per API key, or per IP address sending the request? If it's counted by API key (which it sounds like it is), then the comments should stop working after 60 site visitors in an hour... But, if that's the case, wouldn't the influx of visitors from HN have already broken it?

It's per IP so if the loading is done in a distributed fashion, say via AJAX, it'll work fine.

I'm not aware of rate limits for individual repos. I think they can set it up if they want but it's not enabled by default. I remember a package manager hammering GitHub with anonymous requests that they limited but that was a special case.

> making the limit a nonissue (unless someone is binge-reading more than a post a minute)

The one issue that jumps to mind is for CGNAT'ed users if that rate limit is for site wide un-authed requests. CGNATing cell users is pretty popular here in the UK.

Home users too, these days - unless you're on an unlimited connection, BT will put you behind CGNAT unless you explicitly opt out.

I know BT where we're talking about testing it on plusnet customers, didn't know they rolled it out to their whole network.

The author should consider https://staticman.net . This gets them comments as PRs and comments from the page.

I'm not affiliated with the site, I've just used them for comments on one static github hosted blog post.

That's a cool idea, I need to look into that. Up until now I used isso, but the non-static nature of Isso-comments always annoyed me.

Barely similar, and also helpful for static sites: an 3rd-party (and open source/self-hostable) option to password-protect (HTTP Basic Auth) files on S3:


I would be interested to hear about Google / Azure cloud alternatives.

Would be great if could have JavaScript which would perform the PR directly from user's browser to github instead of going through static man in the middle.

This is cool. I like the simplicity and DIY approach.

I've done something similar with my blog. [1] It's not using Disqus or any heavyweight 3rd party solution for comments.

Instead, I've created something very simple, similar to GitHub Issues frontend UI and backend, and used that. The backend is completely pluggable (it's an interface [2]), so it can be implemented by talking to real GitHub API [3], or any custom implementation you want. My blog uses a simple JSON files implementation, so I can avoid a heavyweight database dependency.

Oh, and I've also implemented reactions. Not just 6, all of them. [4]

I do use GitHub for authentication though, I don't want to make people come up with yet another password.

[1] https://dmitri.shuralyov.com/blog/23#comment-1

[2] https://godoc.org/github.com/shurcooL/issues#Service

[3] https://godoc.org/github.com/shurcooL/issues/githubapi

[4] https://dmitri.shuralyov.com/blog/16

This is awesome. You should make this a service. I'd pay a few bucks a month to get rid of Disqus.

It seems Valley companies really love tracking. Disqus wasn't surprising that it was telling the entire world that you visited a page.

What surprises me is disqus didn't even give a shit about the page's loading time in an effort to violate users privacy and trust.

Disqus, If you are reading this thread, shame on you!

Well... they have to make money to pay bills and make a return for investors - they're not an altruistic charity. The trackers appear to feed into behavioral targeting companies who probably pay for it.

Their pricing page clearly says the free version is ad supported, paid versions can turn off ads.

But it is sad how 'ads' is now synonym for 'behavioral analysis and internet wide tracking'. On blogs and the like, they instead could show ads that are related to the blog, not the specific reader.

Basically the reason that doesn't happen is because such a business model of matching blog one by one with advertizers doesn't scale - neither for the buyer, not for the seller.

The person making such a market cannot make a living out of it without automation unless the blog comes off the bat with millions of viewers (think top YouTube channel content creators who get sponsorship). With automation comes the need for tracking.

Almost always this has a highly enforced anonymity - since the behavioral signal is more valuable than knowing who exactly you are.

They could do one tracking request and fan out to different tracking systems on the backend. Doesn't solve the privacy issue, but solves the loading issue.

I don't really like the idea of "exploiting" GitHub issues for blog comments.

This is obviously not a designed feature of GitHub API and it feels like an abuse of GitHub service.

To me this feels like something GitHub would approve of. GitHub Issues intentionally gives users a lot of freedom so they can use it however they want. Unlike competitors who forced you to do something a certain way.

This is creative, and if your blog is hosted via GitHub Pages, then using Issues to discuss the content is not far-fetched at all.

Yes. I see a way GitHub could turn the Issue feature into a more flexible service that explicitly allows this kind of use cases. However, as of now, there was no explicit wording that encourages creative use of Issues and its API.

While GitHub may keep silent now as there are not many people doing this, if in the future the "hacks" become more popular, we could see GitHub taking a stance on this.

I certainly hope GitHub can gives some explicit consent to these use cases, which could lead to an entire set of new services that GitHub can offer (like what Google is doing currently).

I remember that when people started to use GitHub for other things besides code GitHub released a blog post telling it liked the idea, and started to display formatted CSV, YAML front-matter, GeoJSON, PDF and who knows what else.

I totally get the concern as Disqus is a third party with their own monetization and ad goals. But it still seems a bit abusive of GitHub as a free service?

Why not stand up a Discourse instance for your comments? https://meta.discourse.org/t/embedding-discourse-comments-vi...

> Why not stand up a Discourse instance

Worth noting that hackers who use workarounds like this are doing it for the fun and since it looks like an unmonetized personal blog, OP presumably would prefer not having a monthly bill for servers.

For any serious project, I agree that discourse is a great option or maybe a custom built comments solution depending on the use case.

yes, but the author is paying for his own dns name and hosting, so hosting his own discussions would be less of a problem for him.

Still he is right, the price for a free service is to be tracked to the right, left and center...

That's a bit ironical.. GitHub is another free service after all, and they do have a careers business which essentially trades on your public profile

That's opt in.

The blog itself is hosted on GitHub in accordance with their terms of service, and the comments are rate-limited by existing policies. So it seems like intended use.

It's nice to have the content and the comments handled by the same provider, so that they are available under the same circumstances.

Because Disqus is free and takes just a few seconds to add the snippet of JS code to your site to work whereas Discourse requires a 2GIG server at $10-$20 a month and then usually hours of configuration.

Discourse may or may not be good system but I find it sad that it has such huge requirements compared to old school php forums like phpbb, smf, vbulletin etc...

Only 1Gb is required, which is $5/month on some VPS providers. Redis, Postgres, Sidekiq, etc all need to be running. It's a modern stack.

Discourse really isn't very good. If you want a more powerful forum system that doesn't need as much CPU power, get SMF or Xenforo or MyBB or something. If you want some new fancy thing, get NodeBB. Many of the sites that used to use Discourse are moving to NodeBB.

We don't see many NodeBB sites in the wild. If you want an old-schoool, traditional PHP / MySQL system, XenForo is a good choice, but there are a lot of critical security exploits, so stay up to date.

"Many of the sites that used to use Discourse are moving to NodeBB"

Source? Data?

I came to say the same thing. This option works great.

You can embed your comments as needed... customize / configure Discourse as needed... it's easy to work with (even across pages hosted on different URLs -- if you can set a Canonical you can call the right comments)... easy to add signups to your CRM... my clients running this setup have been very happy with it.

Disqus... you leave the site, you leave the branded design, to create an account and sign in... it's trash for real sites.

GitHub... seems like shoehorning in something not quite right. "Paint the cat orange and call it a tiger..."

I was totally sold with github as comments, but then I saw you need to leave the page to comment. That's really unfortunate! If we could get a minimalist, not tracking widget that would be ideal.

I think it should be possible without too much hassle to use the api to authenticate the user and then allow them to POST a comment:


Good idea. As someone commented on the blog, the widget code could be lazy-loaded when a reader clicks some kind of "leave a comment" control.

That and you need a GitHub login to comment and it'd be tied to it permanently. I'd imagine that solves quite a bit of the spam problem though.

No, it will simply cause github to be overrun by people making accounts just to spam.

I think expecting your users to have a GitHub account to leave comments is a terrible idea. Normal non-developers do not have, do not want, and should probably not be enticed to, make a GitHub account for purposes that have nothing to do with GitHub. Not to mention that unless GitHub themselves state that this is perfectly acceptable, they could take steps at any time to counter/block such usage.

Better: Load Disqus comments on demand when pressing a button. Have seen this approach on some websites. The usage of GitHub for comments seems really wrong for me. Then better opt out with a system like Isso.

Wow, Disqus does so much tracking, this is insane. I am wondering why do they need these many services.

To make more money.

I was quite amazed at the number of trackers listed. But on my own blog, where Disqus is used, I never see most of them. The only domains loaded are from disqus or Google Analytics.

Any idea what causes the difference?

Here is a similar breakdown for your blog: https://tools.pingdom.com/#!/cW9edn/https://blog.dbrgn.ch/20...

I see many, though certainly not all, of the same trackers there. Also yours seems to load much faster even with all the trackers.

Interesting, Domains like connect.facebook.net or rc.rlcdn.com don't show up in the Chromium network connection list, even in an anonymous session (so that all extensions are disabled).

Found this: https://blog.disqus.com/protecting-users-privacy-on-disqus My browser didn't send a DNT header with the request though. The blogpost seems to be a bit of a joke when comparing it to the list of trackers reported by pingdom.

I'll definitely look for a Disqus replacement :)

Looks like cookies / tracking is configurable, but on-by-default: https://tmp.dbrgn.ch/screenshots/20170422180405-741vsvai.png (screenshot from the config UI)

They run ads through a 3rd party, thats where the tags come from.

This is a problem that Google Wave solved really nicely. You could embed a "Wave" at the bottom of each post on your blog/s. All of them then appeared in your Wave client in one place and you could reply/admin from there (or on the blog/s themselves).

I'm sad that didn't take off, it was so handy.

You still can use it through Sandstorm, or even self-host it!

There's a free demo here: https://apps.sandstorm.io/app/2m8rty615fcj11z2u5674s8a74yv48...

Sorry but have you seen the reviews for the app? Not a single positive review. The whole thing is unmaintained (again see the reviews).

I've been looking at this, but the AWS setup seems arcane. Were you able to get it set up?

I never ever found disqus bad as a user interface, it was swift and efficient. I had no idea about the amount of tracking though.

UX is nice, though I wouldn't call it efficient (off-site AJAX calls just to fetch a few blobs of text that should be a property of the site anyway). Then again, Disqus is not a comment system, it's a social network, so - tracking aside - it's fine if you care about its extra features (mostly site cross-marketing).

I like Isso as an open source, self-hosted alternative to Disqus https://posativ.org/isso/

What about spam filtering?

There seems to be a moderation queue feature: https://posativ.org/isso/docs/configuration/server/#moderati...

I've decided to move my blog to a GitHub + Gist since it's easy to crosslink and include code snippets. Visitors can write comments with their Github account and don't have to leave the site. The Github stars (likes) are also very nice :-) As "Index" I use a special Github Repo with link collection (date, title, url) to my Gist blogs and use Twitter to promote my blogs. Of course you could use the Github JSON API and jQuery to integrate it into youre website :)

I just use a Github wiki for my blog. I metablogged about it:


I think the one tweak I need to make is keeping a copy of the blog index in the README.md for the main project. That way watching the project will effectively provide notification of new content.

It looks like GitHub caches this really aggressively, as there are more comments showing up on the issue than on the article page. That may be a major downside to this technique.

Oh, not cached but paginated. Looks like the implementation here doesn't take that into account.

I just unticked "Enable anonymous cookie targeting for your site's visitors." and that seems to have reduced the number of requests by 38!

Indeed, that reduces the number of requests a bit. You can find it under Settings -> Advanced.

just posted that I found a serious bug in the github comment API last month and to my knowledge this hasn't been fixed yet, or at least their support hasn't acknowledged that it's fixed yet. The bug affects pages with 500+ comments, it will return duplicate comments instead of the unique set of comments. For example if you had comments: [1,2,3,4], it would sometimes return [1,1,3,4].

If you're interested in this approach, I wrote about using GitHub issues as the basis for your blog, and not just comments - http://ebarnouflant.com/posts/4-turn-your-github-issues-into...

I've had an idea for a potential free solution that should be easy to implement if anyone has more time than me:

A one-click setup simple enough for non-technical users.

Instructions should be along these lines:

1. Sign up for AWS if you haven't already got an account

2. Generate a keypair and run our setup/load our template/whatever (I'm a bit hazy on AWS automation but I would imagine there's a fairly obvious way to do this. The new CodeStar thing looks like it might fit the bill)

3. Place this snippet of javascript in your page

The service would use Lambda and DynamoDB to to handle storing/serving the comments. Costs would be fairly minimal for low-traffic sites.

Rough guess is that this would be no more than a few days to a couple of weeks work for someone. Am I over-optimistic?

So either someone does this to scratch an itch or we fund it via Patreon/Kickstarter.

I've had an idea for a potential free solution: www.wordpress.com

Nevermind. It's not an idea, it's a real product.

You're gonna have a very hard time if you want to run instances, lambda and dynamodb in the cloud only to run a blog with comments. First, it's really complex to setup, even for an experienced dev. Second, it's gonna costs a ton of money and you'll be at the mercy of your traffic.

This wasn't a solution for "a blog with comments" - it was a solution for a pluggable comments app that you could add to any site even static html. We were talking about Disqus so I was thinking about what Disqus brings to the table.

> First, it's really complex to setup, even for an experienced dev.

The whole point of the idea was that the setup would be templated. That's why I spelt out the steps I envisaged the end-user having to perform. Did you miss that part?

> Second, it's gonna costs a ton of money and you'll be at the mercy of your traffic.

This depends on traffic and my hunch is that it would be quite affordable for most low/medium traffic blogs. Lambda is dirt cheap and Dynamo has a very generous free allowance. Also see the suggestion below and my reply. The comments section would only need to be generated when a comment was posted and the html fragment could be stored in a free CDN.

This could work, but only if you could automate billing caps too. I imagine for a low-traffic blog this could easily fit within free-tier requirements, but you don't want to suddenly get a bill when a page gets HN'd or something. Ideally the service should just fail when it hits free-tier limits and you can use the local js to display "Comments unavailable due to high traffic" or whatever.

If any of this is not automatable it fails as an idea, because configuring AWS requires a colossal amount of effort from someone who hasn't already used it.

Do any cloud providers implement straightforward spending limits?


There is no way to set a budget for AWS.


there is no a feature that allows you to configure a limited budget on GCE. This feature is certainly available for GAE


Azure: it's possible for certain subscriptions, but not for pay-as-you-go. Sounds like there are political motives at work, not technical ones.

Spending limits are far more complicated than they might seem since these services are designed to be billed by usage and many accrue charges even in a steady state.

What exactly is supposed to happen when the billing limit is hit? Delete everything? That's the only way to actually stop billing completely and I'm not sure who would actually want that.

No service that I know of deletes everything even when there are billing issues. No public access is nearly equivalent from the end user's perspective, and usually there is a grace period before everything is deleted. All in all it is an interesting conflict of interest on the cloud provider's part.

This deserves its own post... Are there previous conversations around this? A quick search isn't giving me much.

I think azure has a spending limit.

I'd go one step further and would generate structured files with the comments, which are stored in an HTTP-enabled S3-bucket, so the website showing the comments can still rely solely on static resources for comment display and only requires AWS Lambda/DynamoDB for posting new ones.

Great idea. Don't forget that Dynamo has a generous free allowance. I'm not sure how much you'd save. Maybe instead of S3 you could use a free CDN such as Cloudflare.

Dear god that is an absolutely insane amount of 3rd party tracking. You would think Disqus would aggregate all the tracking into one service they control and then distribute it out (and also, it would only be one thing that needs to be blocked with uBlock Origin. Two problems solved!)

That doesn't work because each of the trackers needs to receive their own cookie in the request to properly track users across sites.

Disqus runs ads white-labeled through adsnative.com - and this is a programmatic ad network that uses real-time bidding to run auctions and get ads as the page loads - which come with numerous adtech networks attached in those tags. None of those listed are malware or outright harmful but they are all adtech companies in some aspect (ad serving, data tracking, verification, etc).

Disqus without ads and without real-time comments is pretty fast, but those days are long gone and they're also full of spam. It's also such easy spam to catch that it feels like they just stopped caring and are cashing in as long as they can.

Also why not just use Gists? I've seen a few people use them as a standalone blog pages with markdown files, and it also has an API available.

I'm not sure if this is really relevant, but recently I've been looking into something similar: trying to find a decent, self-hosted, simple "real-time chatbox" to add to my site instead of the various online options. Anyone know of something good for this?

BTW, if I open a page from disqus.com (1) with theirs comments I don't see those strange requests but if I open a page from someone's website (2) they are there!

1: https://blog.disqus.com/how-spoilertv-built-a-community-of-1... 2: http://www.thedailyreview.com/news/2017-04-26/Today%27s_Top_...

Can you replace gray on gray text with human readable colors next?

I've made the decision to remove comments from my personal blog[1], and use Pull Requests and Issues for substantive discussion. "Chat" kinds of discussions are better off on social media like Twitter, or in specific communities, like HN.

[1] http://douglastarr.com/your-blog-may-not-need-comments

Is there a good alternative to Disqus? I'd like something that's hosted for me, but also isn't as intrusive and maybe a bit cleaner.

One I found a few days ago (self hosted): https://github.com/posativ/isso

Would be perfect if it supports an external database and not only sqlite.

Inspired by all this, I removed disqus from my own static blog. Nobody ever wrote me anything either so it's not going to be a big loss.

I can't help be to put my link here, I'm bootstrapping Remarkbox (https://www.remarkbox.com) and currently allowing people to sign up for the beta.

You can see a working proof of concept / mvp today.

Nice observation!

I don't know if Disqus requests so much tracking. Currently, I am setting up a personal blog and looking for a comment system for it. There are two choices: Disqus and Twitter. Why? Disqus is free and easy to put it to whatever blog platforms you use and Twitter is free too, I think many people have it. After reading this, I think GitHub is not a good place to give a comment because somebody who doesn't have account must register first. I am talking about "non-developer" reader.

Does anybody here use Twitter as a blog comment system? I would like to know your experience since some of people usually use it for their blog.

Limiting a comment's length to 140 characters sounds pretty shitty, especially if your content will be content suited for longer in-depth replies.

Anybody using firebase to roll their own comment system?

Dumb question: Why don't people just slap a little PHP + MySQL comment section (or similar) onto their site? It takes little skill to do that and has the benefit that you control everything because all requests go to you and you can manage the tables yourself.

Fighting spam can become a full-time job. More popular options either just take care of most of this (Disqus) or have plug-ins to help (WordPress).

For sufficiently motivated adversaries, even a custom UI isn't enough of a roadblock.

Even if you put a CAPTCHA in there?

I think using Google's implementation winds up being enough, but anything homebrew/self-hosted (to avoid tracking) is usually not going to protect high-value targets. Any recommendations would be appreciated!

>but anything homebrew/self-hosted (to avoid tracking) is usually not going to protect high-value targets.

Is it really realistic to expect advanced attacks on CAPTCHAs with visual recognition or Mechanical Turk? I think you'd have to be a very high value target. I wrote a little PHP captcha when I was 15 and I've been using it ever since, and I never got any spam on my (admittedly very low-traffic) sites.

I actually wanted to implement visual perturbations based on perlin noise, but I really never got around to doing that. Would be an exciting little project.

I wonder the same thing. This seems like a solution in search of a problem. For your average blog, a spam filter plus a moderation queue for first-time posters works just fine.

Also, if a site asks me to use someone else's credentials to comment, I probably won't bother. Why should my hobby-coding account on Github, or my spam-catching account on Gmail, be linked to your blog about philately or bird-watching?

A lot of people's blogs are on static site generators like Jekyll or Hugo. No DB there.

They could still embed a custom commenting system instead of resolting to disqus or weird hacks around various apis that weren't meant for the task.

I think Disqus also just has a lot of UI issues. For sites that I visit which used to implement their own comment system and switched, it has only been for the worse. You could argue that the opposite should be true since comments are Disqus's job and they can focus on doing just that thing well. But sites where people regularly comment are communities. Each wants things to work a little differently to match how the community functions. But besides that there are more basic things it simply doesn't handle well like paging and collapsing.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact