# Hello! I am sunaurus, the head admin of lemm.ee. Ever since I created my instance, I have been following a lot of public and private discussion channels between different parties involved with Lemmy. As I’m sure many others have also noticed, the discussions in such channels sometimes get heated, and in fact recently, I feel like there has been a constant trend in these discussions towards a lot of demands, hostility, negativity, and a general lack of empathy between different participants in the Lemmy network. I am writing this post for a few reasons: 1. I would like add a bit of positivity by expressing my gratitude towards every single person who has helped improve Lemmy. 2. I want to speak up in defense of different people who have been receiving negativity lately. 3. There are a few false rumors spreading on Lemmy, which I would like to try and counteract with very simple evidence. 4. **I want to remind everybody that at the end of the day, all of us care about building and improving Lemmy**. We all have the same goal, and it’s too easy to lose sight of that. I will split up what I want to say in this post by different user groups - users, mods, admins and developers. I understand that many people belong to several (or even all) of these groups, but I just want to highlight the value of, and express my gratitude to each group separately. ### Users At the end of the day, Lemmy would not be worth anything without the users. Users bring Lemmy to life by posting great content, getting involved in discussions in comments, helping surface interesting content for others through voting and even keeping the platform clean through reports. **I am extremely thankful for all the users who have given me so much enjoyment on this platform.** I believe that users often get treated unfairly on Lemmy based on what instance they are participating from. I’m sure so many of you have noticed comments around Lemmy along the lines of “Oh, another user from <instance>, I’m going to completely ignore your stupid takes”. I’ve also many cases of people treating users as second-class citizen if they are not on the same instance - for example, I’ve seen users who are active and valuable participants in communities on another instance receive comments like “why are you participating in our discussions, go back to your own instance”. In my opinion this is completely counterproductive to the whole idea of federation. On a human level, I can understand it - you’re far more likely to notice or remember what instance somebody is posting from if you have a negative experience. As a result, as time goes by, people tend to develop negative views of each instance, despite potentially having had many positive interactions with other users of those same instances. **The message I want to put out here is that instances, especially bigger ones, are not monoliths - do not judge users based on what instance they are browsing Lemmy from, judge them by their actual words and actions.** ### Mods There are some excellent communities already on Lemmy, and these communities are all continuously being built up and maintained by mods. Mods put in huge amounts of their free time and energy in order to provide spaces for all Lemmy users. They form the first line of defense against bad actors, they keep communities alive and often receive no praise, only criticism. **I am very grateful to everybody who has dedicated time to building communities on Lemmy.** Users rarely notice the lengths mods go to in order to keep communities running smoothly - mods more often than not only get noticed when users disagree with some mod actions. I believe mods deserve a lot better than this. Constructive criticism can of course be useful to improve communities, but it must be balanced with empathy and kindness towards people who have been putting in effort to provide something for users. Remember that there is another human being reading your words when you start writing about the mods of any particular community. Users who are not happy with mods of a certain community always have the opportunity to start their own community and run it as they like. ### Admins Admins provide two main key functions for the network: 1. Taking care of the actual infrastructure of Lemmy 2. Working as a higher level defense against bad actors, in cases where mods are not enough I can tell from my own experience that being an admin of a bigger instance requires **constant** energy and attention. I don’t believe that there is a single medium-to-big instance where the admins have not put in hundreds (if not thousands) of hours of their free time, as well as in many cases, probably their own money. This is a service which admins provide for free, and it is necessary in order to keep the Lemmy network healthy. **I have endless respect for anybody who is willing to put themselves in the position of a Lemmy admin.** I have seen awful messages towards admins from all the other groups listed here, including other admins. These messages range from condescending and rude, to downright hateful. I have seen admins treated as useless and their work taken for granted. I have seen people getting frustrated with admins for not spending every waking minute on Lemmy. I have seen some users consistently spreading provably false rumors about particular admins in an effort to tarnish their reputation on Lemmy. **Before you take out frustration on admins, please remember that they are also humans who have been working tirelessly to improve Lemmy in their own way.** Also, a reminder: the absolute best feature of Lemmy is that users are free to pick their instance - and as a result, users are also free to pick their admins. Even more than that, users can always become their own admins by spinning up their own instance. Yes, this requires dedication, effort, and research, but that’s exactly my point. It’s not easy running an instance, and mistreating people who do this as a free service is completely unacceptable. ### Developers Lemmy development has been lead by a few key maintainers, with a massive amount of smaller contributors. The software is constantly being improved at a very good pace, and everybody is able to benefit from this effort at no cost whatsoever. **I am extremely grateful to everybody who has participated in the development of the Lemmy software, and other related software, as without you folks, none of us would even be here now.** There seems to be a huge amount of people with very little appreciation of the work that has gone into the software. I’m sure many of you have seen countless messages where people express that the devs should be doing **more** in one way or another. “They should work faster”, “they should prioritize this *obviously* most important feature”, “they should be available 24/7 to offer support”, etc. I just want to take a moment here and acknowledge what core maintainers have already done for Lemmy: * Years worth of work on the code itself * Offering support to the community and other admins * Reviewing literally **thousands** of pull requests on GitHub * Acting fast in stressful situations where the Lemmy network has been overloaded * Not abandoning the project in the face of constant hateful users * Sacrificing literally **hundreds of thousands of euros** in missed salaries which they could have been getting if they were working for a tech company instead of working on Lemmy I also want to take this moment to discredit some rumors which I have seen repeated too many times: 1. **Rumor: Lemmy devs do not accept outside code contributions** This is completely false - the maintainers are completely open to (and even constantly asking for) contributions. When somebody starts contributing, they will receive support and code reviews very quickly. I can tell you that I have experienced this myself several times, but that’s anecdotal, so let me also provide evidence: a. Contributors list for the Lemmy backend: https://github.com/LemmyNet/lemmy/graphs/contributors b. Contributors list for Lemmy UI: https://github.com/LemmyNet/lemmy-ui/graphs/contributors **Both of these lists include 100 different names, and that’s only because GitHub literally caps these pages to 100 users.** Actually, the amount of different contributors is even bigger. If Lemmy devs did not accept and encourage outside contributions, then there would be no way for these lists to be so big. 2. **Rumor: Lemmy devs work too slowly** This is an extremely entitled and frankly stupid claim. I try to keep on top of the changes made in the Lemmy repo, and let me tell you, the pace of improvement is very good. I very firmly believe that if the network started downgrading to Lemmy versions from ~8 months ago, the whole network would just collapse, as none of the instances could keep up with the current volume. That is to say, we have come an extremely long way since last summer alone. Let me provide some more evidence. Take a look at the Pulse page for the Lemmy backend on GitHub: https://github.com/LemmyNet/lemmy/pulse. As of writing this, Lemmy devs have merged 18 pull requests in the week leading up to this post - that’s an average of 2.5 merged PRs per day. This is **extremely good** for a project with a small underfunded team. 3. **Rumor: Lemmy devs do not prioritize the important issues** There are two sides to this. First of all, there are endless users who turn to the Lemmy devs with what they believe is the most important issue and should immediately be prioritized - the problem is that almost none of these endless users have the same view of what the most important issue actually is! In that sense, it’s literally impossible to please everybody, because everybody wants different things. On the other hand, even when Lemmy devs do prioritize things which some users have been desperately asking for, I have on several occasions seen a dismissive response along the lines of “too little too late”. Basically, the demands made are often unrealistic and impossible to meet. If you are somebody who feels like Lemmy devs are not doing enough, I would ask you to please take a step back, look at the actual contributions which they have made, and consider how you yourself would feel if after making such a massive contribution, you would still need to listen to countless strangers on the internet tell you how you’re not good enough in their opinion. ### Conclusion Lastly, I am very thankful to anybody who took the time to read to the end of this post. Again, my goal is to try and defuse some of the hostility, as well as to put out a message of gratitude and positivity. I am very interested in the success of Lemmy as a whole, and that is much easier to achieve and maintain if we all work together. Thank you, I hope you're doing well, and have a nice weekend!

# UPDATE: The latest RC version of Lemmy-ui (0.18.2-rc.2) contains fixes for the issue, but if you believe you were vulnerable, you should still rotate your JWT secret after upgrading! Read below for instructions. Removing custom emoji is no longer necessary after upgrading. Original post follows: ---- This post is intended as a central place that admins can reference regarding the XSS incident from this morning. ### What happened? A couple of the bigger Lemmy instances had several user accounts compromised through stolen authentication cookies. Some of these cookies belonged to admins, these admin cookies were used to deface instances. Only users that opened pages with malicious content during the incident were vulnerable. The malicious content was possible due to a bug with rendering custom emojis. **Stolen cookies gave attackers access to all private messages and e-mail addresses of affected users.** ### Am I vulnerable? **If your instance has ANY custom emojis, you are vulnerable**. Note that it appears only local custom emojis are affected, so federated content with custom emojis from other instances should be safe. ### I had custom emojis on my instance, what should I do? This should be enough to mitigate now: 1. Remove custom emoji ``` DELETE FROM custom_emoji_keyword; DELETE FROM custom_emoji; ``` 2. Rotate your JWT secret (invalidates all current login sessions) ``` -- back up your secret first, just in case SELECT * FROM secret; -- generate a new secret UPDATE secret SET jwt_secret = gen_random_uuid(); ``` 3. Restart Lemmy server If you need help with any of this, you can reach out to me on Matrix (`@sunaurus:matrix.org`) or on Discord (`@sunaurus`) ### Legal If your instance was affected, you may have some legal obligations. Please check this comment for more info: https://lemmy.world/comment/1064402 ##### More context: https://github.com/LemmyNet/lemmy-ui/issues/1895 https://github.com/LemmyNet/lemmy-ui/pull/1897