Lemmy

Apologies if that's already been asked, but since moving my instance 0.18 I can't seem to federate with kbin magazines any more. I just get empty feeds whenever I access them. Is this expected behaviour ?

Thanks again to the Dev for their insane work lately.

Most admins on Lemmy instances do not have backend access. That is generally reserved for the server owner/head admin only. So if your instance is going on- and offline intermittantly due to server load, admins will also be having a hard time getting on the site to moderate or really do anything. The server owners may be able to use the backend command line to do a tiny amount of moderation, but it's very much not intended to be used in that way.

I say this to remind everyone to please be patient on the 1st, there will be a massive influx of traffic, servers will go down, and admins may not be able to get on the site and moderate effectively until things settle down at least a little. We're trying our best.

I'm hoping to start a dialogue about the current use of descriptive community names, usernames, lack of semantic URLs, and other usability issues on the Lemmy platform. I say dialogue because I am new to Lemmy and I can appreciate that some things may be done differently here for specific reasons.

This is not my sandbox but I'd like to see a castle here someday nonetheless, and I'm willing to help make that happen if there's an appetite to see these core issues addressed:

1. Community display names

Community display names should not be used in any meaningful way on the platform. They should not be displayed in the feeds, nor in community search results. Personally, I don't think they should be used anywhere except as a byline on the community's feed.

These descriptive names are not unique and it is trivial for anyone to create a community and change its display name to match that of another on the same instance. This clone will appear right alongside the legitimate community in search results, page feeds, and even moderator lists (such as those viewed on profile pages).

Many community display names are so long that they are truncated when viewed in mobile apps, adding to the ambiguity.

It is also impossible to know the actual community name until a link is hovered over (impossible on mobile) or actually visited (potentially dangerous).

2. User display names

Similar to community names, these descriptive names should not be used in any meaningful way on the platform. There is nothing to stop me from changing my display name to that of a site admin, moderator, or user, and then creating posts under the guise of that person. Again, there is no way of knowing the actual username without hovering over the link (impossible on mobile), or visiting the user's profile directly.

Another side effect of showing display names in the feed is that some usernames appear as single emoji or with emojis in their name, which is distracting at best and annoying at worst.

In my opinion, display names should be restricted to a user's profile page, similar to how GitHub implements usernames and full names. Post feeds, search results, and any other meaningful place should display the unique username only.

3. Semantic (clean) URLs

A GitHub issue discussing cleaner URLs has been open since July 2020, which leads me to believe this isn't a priority. I won't list the many reasons why user-friendly, SEO-friendly post slugs are important today, as Wikipedia already has it covered (and with a clean URL). This merits of clean URLs have been written about extensively for more than a decade. The bottom line is that this:

https://lemmy.ml/lemmy_support/72hsHD/qol_usability_concerns

...or even this:

https://lemmy.ml/lemmy_support/563505

...reveals a lot more about a link before I click it than this:

https://lemmy.ml/post/563505

It helps to understand the link destination before you click it, and this is an issue that will only get messier if left unaddressed for too long.

4. Sanitized post titles

Last week, I noticed that users are able to include markdown in their post titles, allowing for `code` syntax highlighting in the title itself. This is a bad practice, prone to abuse in the long run as some users will increasingly try to draw attention to their posts.

5. Link posts don't link to the link

I fully appreciate that Lemmy isn't trying to be a Reddit clone but as a link aggregator platform, I'm surprised that link posts do not actually link to the submitted hyperlink. This contradicts not only Reddit, but other link aggregator services, including Hacker News and Lobsters. Currently, the user has to know to click the thumbnail instead of the post title, or enter into the post and then click the title a second time to visit the submitted link. This is just not intuitive.

We’re about to enter another Reddit mass migration phase starting tonight. We’ve already attracted the users most actively engaged with the protests and Reddit’s changes—users who are driven enough to put in the effort to grow the Fediverse.

Now we need to make it feel like home to casual users and lurkers. Not just attract them for a few visits, but keep it interesting enough that they stay here in the coming weeks/months.

Major kudos to all the developers working day and night to bring us familiar-feeling apps and interfaces on insanely short timelines. But what can the rest of us do to make Kbin and Lemmy feel like home to all the new Reddit refugees? Populate Lemmy and Kbin with as much quality content as you can find!

Over the next few weeks, fill your magazines/communities with as much good the content as you can. Post comments and subscribe to things. Click that upvote button on content or comments you like.

Not sure where to find good content? Ironically, check out your favorite subreddits for ideas. Make sure we have the best of the content you can find on Reddit. See a good article or link? Post it here! Don’t be shy about posting to interactive communities like Ask Lemmy- we’re after volume.

For OC Reddit posts, see if there’s a non-Reddit page to post here. I don’t know whether it’s acceptable to copy text posts, but if you do, make sure you at least give credit/copy a link to the original post.

Basically, do everything you can to engage over the next few weeks and avoid lurking. Show off the Fediverse and welcome the next group of Reddit refugees to their new home.

Edit: I completely forgot to call out all the people hosting and upgrading instances to help with the massive influx of users and keep the sites stable. Thank you, hosts!

cross-posted from: https://lemm.ee/post/530162

Please report issues with this version either here or at the issue tracker.

Changelog v1.2.0

• Add rewrite support for posts/comments
  
• Try to not rewrite federation links

---

Description

Lemmy Universal Link Switcher, or LULs for short, scans all links on all websites, and if any link points to a Lemmy instance that is not your main/home instance, it rewrites the link so that it instead points to your main instance. Currently only works for community/user links.

Features

• Rewrite links to Lemmy posts/comments to point to your home instance. Only after hovering over them, because getting home posts/comments links require communicating with the Lemmy servers, and we don't want to spam the servers.
  

• Instantly rewrite all links of communities or users to Lemmy/kbin on all websites everywhere to your new instance! The rewritten links will have an icon next to it, and hovering/touching the icon will show you the original link, allowing you to go there if you want to.
  

• If you are already on a page that has a corresponding page on your home instance, a link will automatically be added to the page header.
  

Home Instance Setup

Simply visit the Lemmy instance you want to set as your home while the script is active. You will be asked if you want to set this instance to your home instance:

If you initially set your home instance wrong or just want to change it, no worries - simply go to your settings on your new home instance and press the button for it!

Coming soon

• Rewrite kbin post/comment links
• Better rewriting support for kbin community/user urls (e.g. sort options are currently ignored)
• Nicer tooltip styling (fit into page theme)
• Signify that "Show at home" button is loading for posts/comments

@tateisu@lemmy.juggler.jp PING!

I just had to delete over 44.000 Users, Bans and Activity messages from my database and defederate from lemmy.juggler.jp. Somehow, all their bans get propagated to the rest of the lemmyverse.

I did a quick check, and it seems like not all instances liked are affected, but some definitely are. aussie.zone, for starters (PING! @admin@aussie.zone )

The good news is that, due to the relational database, you only need to delete the users, and the database cascade does the rest. BEFORE YOU DO ANYTHING, MAKE A BACKUP OF YOUR DATABASE I am not responsible for messing up your database. Don't ever execute commands given by a stranger on the internet if you don't understand them. Also, unless you defederate from them, the logspam will just continue. So maybe do that first.

To fix it, get database access somehow, and check your instance table. There, search for the id for lemmy.juggler.jp with the following query:

SELECT id FROM instance WHERE domain = 'lemmy.juggler.jp';

Write down that id, and execute the following query:

DELETE FROM person WHERE instance_id=<the id you just wrote down>;

This will probably take a while (over 2 minutes on my database),

Example log message:

{
    "cc": ["https://lemmygrad.ml/", "https://lemmy.ml/", "https://midwest.social/", "https://lm.korako.me/", "https://tabinezumi.net/", "https://lemmy.shrieker.net/", "https://bar.southfox.me/", "https://sopuli.xyz/", "https://slrpnk.net/", "https://feddit.de/", "https://lemmy.perthchat.org/", "https://baraza.africa/", "https://mander.xyz/", "https://lemmy.eus/", "https://lemmy.ca/", "https://lemmy.fediverse.jp/", "https://fapsi.be/", "https://exploding-heads.com/", "https://baomi.tv/", "https://fediverse.ro/", "https://lemmy.pt/", "https://szmer.info/", "https://feddit.it/", "https://jeremmy.ml/", "https://group.lt/", "https://beehaw.org/", "https://lemmy.rimkus.it/", "https://lemmy.tedomum.net/", "https://lemmy.coupou.fr/", "https://lemmy.blahaj.zone/", "https://community.xmpp.net/", "https://lemmy.simple-gear.com/", "https://lem.simple-gear.com/", "https://lm.gsk.moe/", "https://latte.isnot.coffee/", "https://lemmy.sdf.org/", "https://lemm.ee/", "https://sh.itjust.works/", "https://lemmy.fmhy.ml/", "https://yiffit.net/", "https://lemmy.world/", "https://lemmyfly.org/", "https://vlemmy.net/", "https://lemmynsfw.com/", "https://programming.dev/", "https://terefere.eu/", "https://discuss.tchncs.de/", "https://infosec.pub/", "https://lem.elbullazul.com/", "https://feddit.jp/", "https://lemmit.online/", "https://aussie.zone/", "https://social.fossware.space/", "https://social.sour.is/", "https://lemmy.management/", "https://lemmy.one/"],
    "id": "https://lemmy.juggler.jp/activities/block/51bd6d83-3780-45c6-b29a-1b3a9a0bb401",
    "to": ["https://www.w3.org/ns/activitystreams#Public"],
    "type": "Block",
    "actor": "https://lemmy.juggler.jp/u/tateisu",
    "object": "https://lemmy.juggler.jp/u/samydes225879",
    "target": "https://lemmy.juggler.jp/",
    "summary": "spam accounts created?",
    "@context": ["https://www.w3.org/ns/activitystreams", "https://w3id.org/security/v1", {
        "pt": "https://joinpeertube.org/ns#",
        "sc": "http://schema.org/",
        "lemmy": "https://join-lemmy.org/ns#",
        "expires": "as:endTime",
        "litepub": "http://litepub.social/ns#",
        "language": "sc:inLanguage",
        "stickied": "lemmy:stickied",
        "sensitive": "as:sensitive",
        "identifier": "sc:identifier",
        "moderators": {
            "@id": "lemmy:moderators",
            "@type": "@id"
        },
        "removeData": "lemmy:removeData",
        "ChatMessage": "litepub:ChatMessage",
        "matrixUserId": "lemmy:matrixUserId",
        "distinguished": "lemmy:distinguished",
        "commentsEnabled": "pt:commentsEnabled",
        "postingRestrictedToMods": "lemmy:postingRestrictedToMods"
    }],
    "removeData": true
}

As it is now, it's quite inconvenient to not be able to see a community's actual subscriber count from an instance and instead see how many are subscribed to it from the current instance; makes it hard to judge their activity from a search, and is confusing for new users.

A shared user count directly in lemmy would be very useful.

Lemmy's API documentation currently appears to be the JS client implementation found here: https://join-lemmy.org/api/

This is very misleading, as these docs document the behavior of the JS client and do not provide a language neutral way to figure out what's going on.

Compare Lemmy's docs with something like the ActivityPub docs https://www.w3.org/TR/activitypub/

Going off ActivityPub, I could actually start to see how it all works and looks together. With Lemmy, I can reason about how the JS client works and do my best, but working with Lemmy you sometimes have to consume the Rust source as well.

So, this raises the barrier of entry for someone wanting to do Lemmy integrations to someone that needs to consume the above docs, plus be comfortable reading JS and Rust.

I saw some older posts from the lemmy devs saying: "Well, writing docs is hard, so it's easier if we generate the docs from our JS client."

They aren't wrong, writing documentation IS hard. If Lemmy is serious about attracting a larger ecosystem, I consider better API documentation to be on the hot path. I'm concerned that the devs are happy with the autogenerated docs above and won't put any effort into improving them. Even worse, the people generating these docs are already familiar with Lemmy, so they probably think the current docs are adequate.

I don't know a quick solution -- raise money to pay someone to write docs? No clue. But, if you want to attract developers to this ecosystem, the current API documentation is insufficient.

Hi all,

I’d hereby like to announce lmmy.to, an instance-aware redirector for Lemmy that allows you to directly link people to Lemmy communities on their own instance.

As an example, try https://lmmy.to/c/lemmy@lemmy.ml.

I’ve created !lmmy_to@derp.foo to discuss it. There’s also a FAQ.

Edit: I've resolved the 500 error people were getting.

In light of the proverbial hitting the fan over at #reddit I am considering giving @kbin or @lemmy a go. I think I can follow/interact with their communities from here? isn't that enabled with ActivityPub? if so, then that is fantastic :D

Hello,

Since this morning I am disconnected every time I visit my instance (lemmy.ml).

Even just closing the tab and coming back to lemmy.ml 5 minutes later, I have to login again.

I use 2FA.

Is anyone else seeing this?

Have a great day!

Sad to see almost none of the devs, from
Apollor (ChristianSelig), RIF (u/talklittle), Infinity (u/Hostilenemy),
Boost (rmayayo), BaconReader, to Relay (u/DBrady), etc. are not considering Lemmy at all.

I know these were hobbies but by atleast developing it for some time just to make transition for your audience to Lemmy easier would have gone a long way!

@lemmy @LemmyDev Lemmy will remain a niche platform if not enough people switch to it

tl;dr, I'm posting this Lemmy issue that proposes a CORS change to allow Lemmy web clients to work with Lemmy servers without needing a proxy (possible security risk). Please show your support by +1ing the issue and the PR!

Issue link: https://github.com/LemmyNet/lemmy/issues/3109 PR link: https://github.com/LemmyNet/lemmy/pull/3421

Background

The web has many security features, and one of them is CORS, or Cross-Origin Resource Sharing. CORS ensures that when you click a button on a website in your browser, your account information isn't immediately compromised. It's one of many layers that protect your information from malicious actors.

Lemmy currently has this feature. Its CORS is configured to reject HTTP requests from an origin that is not what it expects. For example, if I'm on cool-lemmy-client.com and I request a list of posts from beehaw.org, the browser will reject the request. This is because beehaw.org is telling the browser "hey, this request is only valid if it's made within the beehaw.org website, otherwise reject it!

This effectively means that third-party Lemmy web clients cannot talk to any Lemmy server. It's impossible because those web clients are hosted outside of Lemmy servers, so the browser will refuse any interaction with those Lemmy servers.

Why Wefwef works

Wefwef is a third-party web client. It also runs in the web browser, and yet it works. How does it do that?

It turns out that Wefwef actually runs a proxy in the middle. The browser essentially hits this proxy instead, and the proxy makes the request on behalf of the browser. When it returns data, the proxy simply passes that data back and tells the browser that its origin is allowed.

This works because CORS is a browser thing: requests are rejected in the browser, not anywhere else, and because the proxy is its own server and not a browser, it's not affected by CORS. This is also why applications like Jerboa work perfectly well.

Note: This is not to say anything about Wefwef! In fact, the developer of Wefwef expresses the same opinion!

Why proxies are bad

There are a myriad of issues that come with running a proxy for a web client, but it can be boiled down to 3 quick points:

1. It creates a single point of load. All users of a particular web client now have to rely on a particular CORS proxy, and that puts a lot of load on that proxy.
   • This is actually an ongoing issue for Wefwef.
2. It exposes sensitive data to more parties. Specifically, CORS proxy operators (often the application maintainers) can see any information passed through it, including user tokens! Theoretically, they can steal your account.
3. It is extra work for application maintainers to also maintain and scale CORS proxies.

Why it doesn't make sense

Restrictive CORS doesn't make sense for Lemmy. It is not an effective way to block third-party clients, since it is only a browser restriction. But people can still run proxies for their web applications, and that just makes things worse for everyone!

Lemmy doesn't benefit from restrictive CORS.

Why it's not a security problem

I said above that CORS helps prevent scenarios where your account information is stolen just by clicking a random button. However, this does not apply to Lemmy! To explain why, I need to look at how Lemmy (or any website) knows who you are.

Lemmy uses a JSON Web Token (JWT). Simply put, it's a piece of text that tells the server "this is user X", which is then cryptographically signed by the server, meaning it can't be altered by anyone else without also breaking the signature. This allows the server to trust that if the signature is valid, then user X's claim can be trusted.

Typically, the browser can send this token in two ways:

1. It can do so using cookies. The server tells the browser "hey, store this token", and later requests made by the browser will also include this token.
2. It can do this by manually appending the token somewhere in the request, usually in the Authorization header. The application is usually the one that receives the token and manually stores it somewhere. It then manually reads this token back when it needs to and appends it to its requests.

Applications that implement the first method would be vulnerable to the aforementioned security problem if CORS didn't exist: the browser could append the cookie to every subsequent request, including requests from other sites! This means that if I go to seemingly-legit.com and the site makes a request to beehaw.org, that request will be made on my behalf without my knowledge!

Fortunately, we can tune CORS so that we can still make requests to beehaw.org without randomly leaking user data! Specifically, CORS has a separate header that tells the browser not to send cookies, even if it allows requests from anywhere (Access-Control-Allow-Credentials vs. Access-Control-Allow-Origin). This is what Lemmy PR does.

Applications implementing the second method may or may not be vulnerable:

• If it stores the token in its local storage, then only it can see that token. The browser does this by giving each origin (domain, e.g. google.com) a completely separate local store. Discord is one of the many applications that does this.
• If it stores the token in the browser's cookie store, then it behaves the same as the first method. The only difference is that instead of the server telling the browser to set the cookie, it's the application code running on the browser that sets the cookie.

Lemmy stores tokens in the cookies. As long as we're careful about which CORS headers we return, the browser won't leak them!

What we should do

Lemmy issue #3109 discusses this issue. You can show your support by responding with a thumbs up (+1) or a heart.

I have also created Lemmy PR #3421 which fixes this problem directly in code. You can also show your support by responding to this PR with a thumbs up or a heart.

I'm currently developing a Lemmy web client, and I need the CORS changes merged in order to use it with Lemmy instances running v0.18 or newer. Having this merged would save me a lot of time and effort. The developer of Wefwef has expressed the same opinion. Please consider supporting the application developers by upvoting these issues!

On lemmy.world (where I'm mostly at) I see local communities getting posts in threads that are clearly for another thread. World still runs on 0.17.3, as the captcha is disabled in 0.18.0 and 0.18.1-rc1 gave issues.

Is this a known issue with federation between versions or limited to the old version?

Hello there, just a quick question. I seem to have had all of my posts removed. Most of which were submissions to /c/Ireland_On_Lemmy , which is a community I made. Pretty much all the posts were links to news articles or something similar. They definitely were not in any way problematic, so I'm wondering is there a technical problem going on to say my posts have vanished. Trying to view my posts in the Jerboa Android app causes the app to crash, but its latest update has been causing crashes every few minutes anyway, so I'm not sure if that is related.

Anyway, has anyone experienced anything similar? Is there anything I can do?

This was the second time I noticed this, but was super apparent today due to how slow the instance is loading, but the top right is showing another persons username (forgot to take a screenshot sorry). It happened the other day, the instance wasn't really slow, but I saw it for a split second it was showing another name and then loaded in mine correctly. Today the same thing, but with all the slowness, it was there for a good few seconds this time so I know I wasn't seeing things.

I'm sure its some sort of caching issue and probably not really an actual security concern, but just wondering if anyone else had noticed this or if the admins were aware.

Hello !

I'm pretty new to Lemmy and I created a community I want people to know about.

Is there some place I can do that without being spammy or disrespectful ?

Help get Lemmy working with right to left languages (Arabic, Farsi, Urdu, Hebrew, Sorani Kurdish, Punjabi, etc)

https://github.com/LemmyNet/lemmy-ui/discussions/1604

[posted in @lemmy #a11y #internationalization #i18n]

Hey everyone! After my first week of settling in here, I think what would give my lemmy experience the biggest boost of any single added feature would be Multilemmys (or Multicommunities), so we can see the combined feeds of multiple communities in a single streamlined feed. I guess the purpose of this post is to spread awareness of this as a concept and point to the ongoing discussion on Github:

Support for grouping communities / multi-communities #818

Cross-instance 'multireddits', that are also automatic and topic-based #1113

Community Grouping #3071

I have seen users post that this was how they initially thought the fediverse would work when it was explained to them. I thought this would be the case as well when I joined. Although I am new to this world, I feel this is one of the most intuitive abilities associated with the concept of the fediverse and that it MUST eventually be possible, the sooner the better.

This is similar to "multireddits", and the equivalent way to use them would be to combine feeds from different communities that are on the same instance, so for example I have one multilemmy to combine the feeds from /c/politics, /c/news, /c/worldnews, /c/worldpolitics (all on lemmy.ml).

Then additionally with Lemmy we have equivalent communities hosted across various instances, and it would be a new and different kind of ability to be able to combine these into a single multilemmy, so for example I have a multilemmy combining lemmy.ml/c/politics, lemmy.world/c/politics, beehaw.org/c/politics, etc.

I found this idea mentioned a few times around lemmy, where @deadcyclo@lemmy.world and @communist@beehaw.org pointed out the above open github tickets for these ideas.

Those github discussions were a fascinating read for me! Its clear that the boffins have already put a fair amount of thought into these possibilities, and identified questions that will need to be answered such as

• how to deal with communities that have the same/different name but are or are not actually the same subject
• duplicate posts and/or cross posts
• whether to cause automatic/default links or not
• how to implement this in a way that is of most benefit to the health of the lemmy ecosystem
• there seem to be two separate use-cases also: one being communities intentionally linking to share content and the other being a user creating their own custom combinations, either for personal or public use.
• how to handle subscriptions

Discussion continues even this week! After reading through all the ideas, I don't have any specific preference but I am excited to see what they eventually decide to implement as I'm sure it will be rewarding. Personally I think getting some cross-instance version of this should become a priority as soon as they feel they've adequately responded to the reddit migration, which I imagine would be a month or two down the road.

I gotta end by saying how happy I am to be here after leaving Reddit, this really feels like the start of something incredible. Cheers!

created a test community on enterprise.lemmy.ml to play with it. Don't feel it work super stable right now though. I think the huggingchat usage could have more interesting usage than simple tldr thing.

I just switched to a different instance that is more focused on my interests (Cyber-sec and IT).

The process of creating a new account was as easy as before, but there is not really a migration path like in Mastodon, so I ended up editing my Bio to link the new profile, and adding Old at the end of my Display name. I then had to manually suscribe to all of the communities I was following before by searching for them by !communityname@instance, that part was too manual, too slow and definitely needs streamlining.

Some of the communities I followed before had never been accessed from my new instance, so I'll have to wait a bit to start seeing posts and comments, but that was expected as I am beginning to understand how federation works.

My old comments and posts will not be migrated (there's currently no way to migrate them), but that's ok, I plan on leaving the old account up for about a month.

All in all, not a terrible process, but exporting/importing followed communities/followers/followed users would be a very welcome addition for users looking to migrate to a different instance.