Hacker News new | past | comments | ask | show | jobs | submit login
Show HN: Commento: a fast, privacy-focused alternative to Disqus (commento.io)
271 points by adtac on Feb 20, 2019 | hide | past | favorite | 85 comments

Hiya, creator here. My original post from April 2017 [1] when I released Commento as a self-hosted software received fantastic feedback, but the single most requested feature was a hosted service because it's not always convenient to maintain a server. Plus, it'll never be a proper alternative to Disqus unless there's a hosted version.

So that's what I've been working on for the past year or so. I've received some great feedback from seasoned bloggers who are now using the service and this has helped the the project mature so much over this period. I'm really happy to finally announce the public release of the hosted version (it's been in private beta for a few months now)!

Anyway, AMA!

[1] https://news.ycombinator.com/item?id=14202456

Product looks fantastic, well done. Always refreshing to see services actively attempt to keep payloads small.

If there is anything to criticize about the marketing part for me it would be the "privacy focused" bit. Personally I think in 2019 saying you're privacy focused and then only baking that up with a privacy policy is a bit much. You can change it at any time and "continued use of the service" is deemed to have accepted any changes. But even then, AFAIK privacy policies aren't legally binding right?

"Privacy focused" to me means that the business running the service has limited or no access to private information in some way. But that's just me, I am probably a minority.

Honestly, I always thought being privacy focused is simply not succumbing to third-party trackers, ads, and other shady stuff. Really, the barrier for entry to qualify as privacy-focused in the comments space is extremely low.

But you make a good point. I'll think about this to see if there are more concrete ways to offer privacy.

And thanks for the kind words!

"Privacy" isn't the real issue for me. The reason I don't want all that tracking to happen with my comments plugin is speed.

Disqus is awful because it spins for 8 seconds before you can see any comments. All that time tracking my users and violating their privacy adds up to a terrible user experience for them.

If they could track my users and violate their privacy during the 100ms it aught to take to load comments from a database, that would be fine.

Everybody tracks and violates these days, so it's all just noise at this point. At least they don't pop up their own thing my users need to click on to accept it all.

The important thing is that comments work. And Disqus can't make that happen.

This is cool. Congrats on getting it out there.

The one thing I'm most concerned about when putting 3rd party comments on a web site is whether it is easy to comment. Like, do they have to sign up for something? Remember another password? Can they just automatically post if they already have an account elsewhere? (the big advantage of facebook comments)

How does that work at Commento? Do you have any thoughts on allowing sites that already have user accounts to somehow use those directly?

OAuth is supported, so you don't need a new account. If you have a Google/Github account, you're good. I'll be adding more providers soon too (Twitter/Gitlab).

Alternatively, you can choose to post anonymously, if you've enabled that in your website. All it requires is checking a checkbox before posting the comment to reduce friction to engagement.

Cool, thanks.

Wow. This looks great. I loved Disqus when it first arrived as it gave static sites a way of having comments. Your product neatly fits the bill of giving us the ownership of the comments back.

I notice that the self hosting options use postgres only. Did you have any plans to expand upon that? (I use mysql mostly).

Keep up the great work!

Right now, the code is tightly coupled with Postgres and it uses some Postgres-specific SQL stuff. But that said, I'll think about some kind of database abstraction layer and maybe even support SQLite. No promises right away though, haha.

Agreed – looks like a fantastic product! Seconding the question about MySQL support. I use MySQL for everything. I don't want to add extra gigs of RAM to my VPS just to run an instance of PostgreSQL for Commento. Postgres is much slower than MySQL in simple applications and uses a lot more memory per connection. MySQL is also more popular and more people know how to use it and tune it properly. Postgres is probably more stable, but I don't care about that in a commenting app.

Posting something like `<script type="text/javascript">alert('hello')</script>` creates a blank comment instead of safely HTML encoding the text.

Do you use text processing to identify spammers or can it spot things like forum slides (inflammatory comments designed to trigger a reply cascade and push other content aside)? Any API for researchers?

It looks like an excellent Disqus alternative and goodness knows we need more of those.

Right now, I'm relying on Akismet [1] to automatically filter spam, which is a really good service. It's built by Automattic and they've had years of spam data to work with.

I haven't thought about forum slides, but that's pretty interesting too. I don't think Akismet could detect something like that. Of course, you can do it with moderators (you can make it so that all comments must be approved; or you can auto-approve and delete the offtopic ones later), but an automated way to detect that would be cool.

This is the long-term research plan I have; maybe we can even do away with Akismet. Spam is one of the hardest problems to solve, so it'll be interesting. But for now, I'm relying on Akismet until there are fewer and fewer core features left to implement.


[1] https://akismet.com/

On my blog I ask a random question that any of my readers would know the answer to. This makes sure they actually read what they are commenting and I received zero Spam so far..

I switched to disqus years ago because Akismet was failing to identify spam on my wordpress site. So far with disqus I get maybe 2 a year

Be aware that Akismet is a problematic service to use in the EU, because you might be sending private data over to that company. Akismet can be used without that metadata, maybe you do that already, just something to look out for

You could try to filter spam with a simple bayes filter for a start, good idea anyway to have a solution inhouse.

Personally, I'd prefer to not be using akismet.

Perhaps you could build in a 'self-learning' feature built off the results of akismet such that one day you can provide an alternate spam system altogether.

This looks great, and the landing page does a fantastic job of summarizing the features and benefits. I know some of the web comic creators I follow are kind of dissatisfied with the current direction of Disqus, so I'll probably recommend this to them if and when it comes up.

Hi Adhityaa, in your Terms of Service (https://commento.io/terms), you reference your company as " Commento, Inc". What US state (or jurisdiction) is it incorporated in?

Commento, Inc. is incorporated in the state of Delaware, USA (file #6797473).

Is it possible to style/customize the root comment, so that I essentially get a parent post and then all child comments?

I am currently making such a site but if Commento offers customization of specific/root comments then I really wouldnt need to do any work.

You can override the styling with your own CSS. See https://docs.commento.io/configuration/frontend/

Right now, there isn't any unique class for root level comments, but it should be trivial to add such a class so that you could style it easily. For example, if I added `.commento-root-comment` to all root comments, you could simply style it with the override in just a few lines.

Nice, looks polished. I remember it from 2017.

I still want to drop Disqus. But I'd need to get all of my exported comments from Disqus into Commento. Is this possible?

Yep. So you'll need to start an export of your comments on Disqus. They'll send you a link to an archive. Paste that link in the dashboard and all comments will be downloaded and imported (preserving formatting, reply structure, etc.). More info in the dashboard.

From this page, it looks like importing comments from Disqus is supported: https://commento.io/pricing

Here's an angle you might consider pursuing. Disqus basically doesn't follow their terms of service:


Perhaps there's a niche there for someone who is a bit more stringent about keeping out the garbage.

It's not even just that lol, Disqus is still "working towards GDPR compliance" according to their privacy policy [1], almost a full year after GDPR came into effect.

[1] http://archive.is/is90r

having a terms of service doesn't magically give you super powers for policing content

People continue to report sites like that for the hate speech, racism and so on, and Disqus doesn't do anything. They could easily drop the entire site.

Their customer is the site, not the commentators (or people reporting negative comments)? So dropping an entire site due to a lot of complaints would just hurt their revenue. Also it wouldn't necessarily be fair to the site if there's a lot of trolls and racists etc in the comments through no fault of the site.

Not sure if it was intentional, but unauthenticated users can see the email addresses of all non-anonymous commenters on a page. Specifically, a POST is made to "https://commento.io/api/comment/list"

Might want to hide those since this is supposed to be privacy-focused.

Fixed! Thanks, I'll patch this upstream soon enough :)

I actually had the provision to omit the email in these requests [1], but I forgot to unset the email before responding.

[1] https://gitlab.com/commento/commento/blob/master/api/comment...

Cool project! I'm actually in the process of rebuilding my personal site as a static site and if I decide to add comments back in (I'm torn on this), this looks like it's going to be pretty high on my list.

As an aside, I was looking at your source on Gitlab, and if I'm reading your Dockerfile correctly, it's a really nice example of using multi-stage builds to build within Docker but produce a final image that doesn't have the full build system in it. This is something I'd been intending to look into for a personal project, so thanks for saving me a bunch of time. :)

Wow, never thought someone would pay attention to that! I was the original contributor (https://github.com/adtac/commento/pull/109) for that change, so happy to answer any questions.

My day job involves a lot of Docker, Kubernetes, and microservices stuff, and the way we do builds and deployments is in flux... so every time I'm looking at a new project at work, almost the first thing I do every time is go hunting for the Docker artifacts to figure out what deployment looks like.

Apparently this habit is now rubbing off on open-source projects, too. :)

Hey Ian! :)

Hey! And congrats, hope you're well :) The company I was previously working for is still using Commento, great job!

"I'm very happy to offer free, perpetual Commento.io access in exchange for non-trivial patches."

That's very cool. I wonder if anyone else does that.

Shameless plug, there is also GraphComment — https://graphcomment.com/en/ — with similar features, and some different ones too. We respect privacy and don’t sell user data.

Disclaimer: I work for this company, as you might have already guessed.

You might consider removing the Facebook Pixel Code script from the webpage otherwise you respect my privacy as much as FB does, and they in fact do sell user data.

Thanks, btw Adblocker uglifies design of your main page

Also, do you have SSO feature?

Yes we do! It's available on plans starting at 19$/month though.

Looks really good. One issue I've had with third-party services like this is authentication. I don't want my users to have multiple logins just to comment. Is there a way to use my main site's authentication?

SSO is a planed feature. It's still pending design, but basically here's how it'd work: you'd be required to make a request to the Commento API when someone logs into your website or creates a new account. You will be a given a session token that should be served to the user so that they're identified when they load a page. No ETA on when the feature would be available, sorry!

SSO or Facebook & Twitter OAuth would be a requirement for us.

I followed the OAuth Plugin issue [0]

I also wanted to create a new issue for SSO, but Gitlab thinks I'm a spammer, so they blocked me from creating one with the cancer that is ReCaptcha.

[0]: https://gitlab.com/commento/commento/issues/80

A comment elsewhere in the thread says Twitter OAuth will be added soon.

>OAuth is supported, so you don't need a new account. If you have a Google/Github account, you're good. I'll be adding more providers soon too (Twitter/Gitlab).

I'll drop my service in this thread too: https://www.remarkbox.com

I offer a free-forever plan and then monthly or yearly plans for customizing the look and behavior of the comments.

Great for static sites.

Nodes is a term for geeks.

If I have commented and then verified my email I want unverified nodes as a todo.

" Welcome to Remarkbox. You have unverified comments. Please check they belong to you and verify them. You will then be notified if somebody replies to them.

[x] I suggest something better / 1 days ago / foo.com/blog/a-good-choice

[x] I am stuck at X / 2 days ago / foo.docs.com/product/intro

[These are my comments, verify them] "

Login state should be represented in a consistent place. If I am not logged in, there is a email field at the bottom. If I am logged in, there is my username at top. A gravatar would have helped.

Thank you for finding and documenting these usability issues!

I would like to discuss this further, could you please reach out to me? https://russell.ballestrini.net/contact/

You might want to rethink using such a light font, this is how it looks on Firefox, Windows: https://i.imgur.com/D6QIth9.png

Thank you for the suggestion. I'll work on that today.

It's self-hosted and gives your users true privacy.

You can self-host Commento too :) In fact, that was the only way until recently haha.

I personally don't have a use for this (yet) but it looks like a great project with some worthy goals. Hope it's a success.

Just to throw in my two cents: there's also https://utteranc.es/. It takes a bit more effort to get up and running, but if you're comfortable with your comments being powered by GitHub issues, it's a great way to go!

I really like this. I've blocked Disqus for years so I'm hoping you see adoption and I can start participating in more discussions on sites I visit.

Looks awesome, and something that I've been wanting myself for a while now. I'm curious about your pricing model (pay what you want). How has that been going so far, if you don't mind me asking? I have a couple of small projects that I've been considering that for but I'm curious as to how it actually plays out in the real world.

It's going pretty well actually. I originally had three different plans with feature-walls, but I hated doing that, so I just freed it all up under one umbrella. Stripe dashboard tells me the average subscription is around what Disqus charges ($9), so I think it's a good idea overall. I definitely recommend it. In my mind, if I see a product using a similar pricing, I feel more valued because I'm given a choice. But that's just me.

I do have a custom option for enterprises because their needs are always unique. I usually charge much higher for this (also comes with a much larger pageview count monthly).

Very cool, thanks for sharing!

I checked your demo and the login workflow with email is kinda hostile. Remarkbox, whose founder commented here, allows me to leave a comment and log in later using magic links. Your product insists on providing details before allowing me to post my comment. And modals could clash with other sites.

This might have been useful 6 months ago. At work I actually made a Disqus replacement recently.

Oh that's right - I work for a media company so we want to hoard as much data as possible.

Fullname, email, zipcode, DOB... we ask for all of that if you sign up on our site.

I really like this and hope more people adopt it. Disqus's accessibility problems always drive me mad. It's usable but... This one's much better, though not perfect.

Congrats on the launch of your hosted version of Commento! I didn't see this in either version but would you entertain the feature of adding annotations?

That's a great suggestion, thanks, I'll create an issue for this!

Just a design suggestion...

Make or have a bigger/bolder logo and center it vs. making your branding small and to the left.

I'll adopt this over Disqus even just for the ability to vote down.

Does something like this exist for native Android / iOS apps?

That's a great looking landing page. Nice work.

Cool! This is exactly what I was looking for.

someone should get-the community leaders from canonical to use this in their-stuff for 20 bucks.

Disqus... Flashback 2011

Does it require javascript?

If so, I'd be interested in finding yet another alternative that does not.

Allowing javascript to run in one's browser is itself a concern for both privacy and security.

The issue I see with that is making it easy to embed on sites, I don't think an iframe works well for the purpose of embedding universally. I guess you could have each button for upvoting, staring, etc. be a link or POSTed form, but I think that would be more resource intensive and more difficult to cache if you had to render out each possible state the comments could be in (comment x expanded or not, comment y expanded or not, both together, starred, etc.) every time something is clicked. On the positive side, commento's JS payload is pretty small. I would be up for the challenge though, because it is probably doable with no JS. The non-HN crowd won't care though

I don't think an iframe works well for the purpose of embedding universally."

Why does there need to be an iframe? Why couldn't there just be a "click here for comments" link which takes you to a separate page?

"I think that would be more resource intensive and more difficult to cache"

That might be a concern for sites that get lots of traffic, but probably for most blogs it will not be a concern at all, as the comments they will get a are few.

> Why does there need to be an iframe? Why couldn't there just be a "click here for comments" link which takes you to a separate page?

If you want to make something that replaces comment systems such as the one found in WordPress or Disqus, it needs to be embed-able in the site itself. I was imagining how best to make it look like Disqus or Commento, but work without JS. What you could do is in that iframe or whatever is have a "show comments" button and that would then load the comments, but if you only have a "click here for comments" link, why not just send commentators to reddit, HN or another social site?

"why not just send commentators to reddit, HN or another social site?"

Because I want full control of the comments, don't want my users to go to another site (because I don't control those sites, nor the comments the user leaves there, and don't want my users or their interest in my site or whatever I post to be tracked by those sites either).

The major attraction of commenting systems like this is their compatibility with static websites, but on the downside, they require JS to post to a third party site.

Someone could build a commenting system purely based on a CGI model, but then you would have to host the CGI on your server, and forward the comments to a third party service and back.

I agree with you on this.

I wrote Remarkbox [0] to work without the need for Javascript. Remarkbox does "power up" [1] when Javascript is enabled. This means it works for completely static sites, with or without the _need_ for Javascript.

[0] Remarkbox: https://www.remarkbox.com

[1] Capability driven Presentation: https://russell.ballestrini.net/capability-driven-presentati...

Why need a third party be involved at all?

Why can the comments just be hosted on one's own site and still not require javascript?

how that would work for static websites? let’s say I generate website from markdown files, and server (let’s say hosted on Amazon S3) does not support any backend languages. so how your suggestion would work?

To submit a comment, you could be sent to the 3rd-party commenting service, which requires a decision by user to enter comment into 3rd-party site. That site then connects to your private source code repo, generates the updated file and pushes it to S3. If your site is hosted on github, the commenting service could submit a PR to your repo, which would automatically update the site after the PR comment is merged.

It wouldn't work for static sites, but that doesn't mean you have to use javascript. As another comment in this thread pointed out, you could use server-side CGI to do it.

The whole idea is to use Javascript. That's what makes Disqus and co so easy to implement. You can even run it on completely static websites.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact