This is now being implemented, behind an option that defaults off. Obviously we're extremely late to the party, but I think this is a common 'standard' we should have.
Gravatar works via an md5 hash of a user's email address. Exposing this to visitors is a security risk. So we will go through a local proxy script to get the gravatar. This also stops tracking. The privacy policy automatically will mention gravatar, if enabled, as there's still a privacy concern.
Gravatars will only show if no local avatar is set.
What is nice now is that Composr is tracking our external dependencies carefully, and in a maintainable way, and with unit testing where possible. So while in the past I was against adding external dependencies willy-nilly, this is no longer a concern.
Gravatar works via an md5 hash of a user's email address. Exposing this to visitors is a security risk. So we will go through a local proxy script to get the gravatar. This also stops tracking. The privacy policy automatically will mention gravatar, if enabled, as there's still a privacy concern.
Gravatars will only show if no local avatar is set.
What is nice now is that Composr is tracking our external dependencies carefully, and in a maintainable way, and with unit testing where possible. So while in the past I was against adding external dependencies willy-nilly, this is no longer a concern.