title: TPA-RFC-92: Emergency BBB hosting provider change costs: similar approval: TPA affected users: all BBB users deadline: N/A status: standard discussion: https://gitlab.torproject.org/tpo/tpa/team/-/issues/41059

Summary: switch providers for BBB following security issues and lack of support. small changes to the BBB account policy

[[TOC]]

Background

We've been using Big Blue Button since around 2021, when we started using meet.coop for that service. This has served us relatively well for a couple of years, but in recent times, service has degraded to a point where it's sometimes difficult to use BBB at all.

We've also found out that BBB has some serious security issues with recordings which likely affect our current provider but, more seriously, our current server has been severely unmaintained for years.

Since 2023, meet.coop has effectively shutdown. The original plan was to migrate services away to another coop. Services were supposed to be adopted by webtv.coop, but they have declined to offer support for the service on 2025-10-15, claiming they were not involved in the project anymore. In July 2025, there's been an attempt to revive things but it's not clear this has led anywhere. The last assessment identified serious security issues with the servers that "have not been maintained for years".

It seems the BBB servers run Ubuntu 18.04, which has been out of support from Canonical for more than two years, for example. A new person has started working to resolve the problem, but it will take weeks to resolve those issues, so we're looking at migrating to another provider.

Proposal

Migrate our existing BBB server to Maadix. After evaluating half a dozen providers, they were the most responsive and were the ones that brought the security issues with recordings in the first place.

Change the account policy to retire all admins and streamline access control with TPA. Make non-core contributors account an exception, retire all non-core accounts.

Goals

Those are the requirements that were set in the conference documentation as of 2025-10-15, and the basis for evaluating the providers.

Must have

  • video/audio communication for groups about 80 people
  • specifically, work session for teams internal to TPI
  • also, training sessions for people outside of TPI
  • host partner organizations in a private area in our infrastructure
  • a way for one person to mute themselves
  • long term maintenance costs covered
  • good tech support available
  • minimal mobile support (e.g. web app works on mobile)

Nice to have

  • Reliable video support. Video chat is nice, but most video chat systems usually require all participants to have video off otherwise the communication is sensibly lagged.
  • allow people to call in by regular phone
  • usable to host a Tor meeting, which means more load (because possibly > 100 people) and more tools (like slide sharing or whiteboarding)
  • multi-party lightning talks, with ways to "pass the mic" across different users (currently done with Streamyard and Youtube)
  • respecting our privacy, peer to peer encryption or at least encrypted with keys we control
  • free and open source software
  • tor support
  • have a mobile app
  • inline chat
  • custom domain name
  • Single-sign on integration (SAML/OIDC)

Non-Goals

  • replace BBB with some other service: time is too short to evaluate other software alternatives or provide training and transition

Tasks

As it turns out, the BBB server is shared among multiple clients so we can't perform a clean migration.

A partial migration involves only the following tasks:

  • new server provisioning (Maadix)
  • admin users creation (Maadix)
  • manual user migration (TPA / BBB admins)

New users will be created by the admin users, and rooms would be recreated by users themselves.

Recordings will not be migrated.

Costs estimates

The chosen provider will charge us 110EUR per month, with a one-time 220EUR setup fee. Major upgrades will be charged 70 euros.

Timeline

Normally, such a proposal would be carefully considered and providers carefully weighted and evaluated. Unfortunately, there is an emergency, and a more executive approach was taken.

Accounting has already approved the expense range, and TPA has collectively agreed Maadix is the right approach, so this is considered already approved as of 2025-10-21.

We are missing a detailed timeline for this project. Part of the problem is we lack the capacity to organise one, and we're having trouble getting changes implemented in the old meet.coop server. But mostly everything is essentially done As Soon As Possible at this stage.

As of 2025-10-22, a new server is being setup at Maadix and we're hoping it will be online by the end of week.

At some unknown time in the future, the old tor.meet.coop will be retired, or at least our data will be wiped from it. We're hoping the DNS record be removed within a week or so.

Affected users

All BBB users are affected by this, including users without accounts. The personas below explain the various differences.

Visitors

Visitors, that is, users without BBB accounts that were joining rooms without authenticating are the least impacted. The only difference they will notice is the URL change from tor.meet.coop to bbb.torproject.net.

They might also feel a little safer knowing proper controls are implemented over the recorded sessions.

Regular BBB users who are core contributors

Existing users which are also core contributors are similar to visitors, mostly unchanged, although their account will be password reset.

For users with valid OpenPGP keys, their new password will be sent by email.

For other users, the "Reset password" link should be used to restore access to the account.

Rooms configurations will have to be recreated.

Rooms recording should be downloaded from the old server as soon as possible for archival, or be deleted.

Regular BBB users without LDAP accounts

Those users were not migrated to the new server, as an exercise in cleaning up the user database.

People who do need an account to create new rooms may ask for an account by contacting TPA for support, although it is preferable to ask an existing core contributor to create a room instead.

Note that this is a slight adjustment of previous BBB account policy which opened more widely the door to non-core contributors.

Core contributors who were not granted access to the old BBB

As part of the audit of the user database, we noticed a significant number of core contributors (~50) who had valid accounts in our authentication server (LDAP) yet did not have a BBB account.

Those users were granted access to the server, as part of an effort of harmonizing our user databases.

Old admins

All existing BBB admins accounts were revoked or downgraded to regular users. Administrator access is now restricted to TPA, which will grant accesses as part of normal onboarding procedures, or upon request.

TODO: password reset

TPA

TPA will have a slightly improved control over the service, by having a domain name (bbb.torproject.net) that can be redirected or disabled to control access to the server.

TPA now has a more formal relationship with the upstream, as a normal supplier. Previously, the relationship with meet.coop was a little fuzzier, as anarcat participated to the coop's organisation by sitting on the board.

Alternatives considered

Providers evaluation

For confidentiality reasons, the detailed provider evaluation is not shared publicly in this wiki. The details are available in GitLab internal notes, starting from this comment.

Other videoconferencing platforms

In the discussion issue, many different approaches were discussed, in particular Matrix calls and Jitsi.

But at this point, we have a more urgent and immediate issue: our service quality is bad, and we have security issues to resolve. We're worried that the server is out of date and poorly managed, and we need to fix this urgently.

We're ready to look again at alternative platforms in the future: this proposal does not set in stone BBB as the sole videoconferencing platform for the foreseeable future. But we will be busy with this migration for a while which will make it hard to experiment or look at other alternatives until at least 2026.

Copying the current user list

We could have copied the current user list. But we did not trust it. It had three accounts named "admin", over a dozen accounts with the admin roles, users that were improperly retired and, in general, lots of users inconsistent with our current user base.

We also considered granting more people administrator access to the server, but in practice, it seems like TPA is actually responsible for this service now. TPA is the team that handled the emergency and ultimately handles authentication systems at Tor, along with onboarding on technical tools. It is only logical that it is TPA that is administering the new instance.

References