Those didn’t completely break federation, they just had some issues with a few services besides lemmy. They’re addressed now, but federation compatibility will always be an ongoing task as new services get added and existing ones change their activitypub responses.
As far as I’m aware the most widely-accepted standard for responsible disclosure is 90 days. This is a little different, since that’s normally between businesses and includes the time needed to develop a solution; it’s not typically aimed at federated or self-hosted applications rolling out an already-created patch. On the one hand, granting them that extra time to upgrade seems reasonable. On the other, wouldn’t anyone wanting to exploit a vulnerability be able to reverse-engineer it pretty easily by reading the git history?
The 90 days disclosure you’re referencing, which I believe is primarily popularized by Google’s Project Zero process, is the time from when someone discovers and reports a vulnerability to the time it will be published by the reporter if there is no disclosure by the vendor by then.
The disclosure by the vendor to their users (people running Lemmy instances in this case) is a completely separate topic, and, depending on the context, tends to happen quite differently from vendor to vendor.
As an example, GitLab publishes security advisories the day the fixed version is released, e.g. …gitlab.com/…/critical-security-release-gitlab-16….
Some vendors will choose to release a new version, wait a few weeks or so, then publish a security advisory about issues addressed in the previous release. One company I’ve frequently seen this with is Atlassian. This is also what happened with Lemmy in this case.
As Lemmy is an open source project, anyone could go and review all commits for potential security impact and to determine whether something may be exploitable. This would similarly apply to any other open source project, regardless of whether the commit is pushed some time between releases or just before a release. If someone is determined enough and spends time on this they’ll be able to find vulnerabilities in various projects before an advisory is published.
The “responsible” alternative for this would have been to publish an advisory at the time it was previously privately disclosed to admins of larger instances, which was right around the christmas holidays, when many people would already be preoccupied with other things in their life.
It adds another view to Registration Applications to show only denied applications, helpful for identifying spam applications and rule circumventers. I know a few people have been asking for something similar to this.
When I saw LemmyMl was down I went to sleep and had a dream where I was eating extremely large fries that that were labeled on the fryholder “Sadistically Large” (chicken fries as well as potato fries) and drinking probiotic shakes so dangerous they literally had to be bundled with a free antibiotic shake by law which of course I took one sip of in front of the clerk to calm them down before guzzling the other shake down with impunity. Woke up before I found find out what the burger was. Maybe those anti-woke types are on to something.
I can’t speak for others, but I still seem to be experiencing issues with federation. I’ve got a comment in here that isn’t showing up on other instances.
Yeah that’s my theory. I think the workers were busy catching up on the whole backlog of all the comments and posts that had built up over the ~3 week period it wasn’t working.
Lemmy is one of the few ones platforms that attempts to preserve vote and mod action privacy, to prevent harassment, and encourage ppl to vote honestly. Several other platforms just let any user see who voted, which isn’t the best idea since it’s been shown that ppl are less likely to be honest if they know that their votes are public.
The main reason I added it for admins, is bc a lot of ppl have been understandably upset by downvote-stalkers, or those who downvote with multiple accounts.
Like anything, there’s the possibility for abuse, but at least by limiting it to admins only, we can prevent a lot of potential harassment that other platforms are currently allowing.
Does this mean we are gonna be able to see comments from other instances? I sometimes see post with a certain number of comments (in the hundreds) but when I open the post I only see a fraction of them.
That sounds correct for the user settings form, but not for the comment / post creation form. Open up an issue on lemmy-ui’s gitbub for this if you would.
Added the ability for admins to view votes, to prevent downvote trolling.
Please give individual users the ability to use an automated system to request to see these votes. There’s times where I’ll post something that nobody reasonable should show umbrage to and it will get slammed. I want to find out where they’re coming from and clear house.
For privacy reasons, and so that people will vote honestly, I’d like this to stay admin-only (and possibly in the future, community mods). But if you ping an admin, we can look into it and see if you’re being downvote-stalked.
I totally respect this being potentially a big ask, but does anyone have a TL;DR of what caused or was the fix for the federation issue(s)? I don’t have capacity at this moment to look through Github Issues and PRs, but I’m curious
From the little I saw (and zero Rust, or Tokio (I think they use that) knowledge) … federation workers weren’t persisting correctly whenever it would hit certain errors or problems.
Releases are always for backend and frontend together, unless mentioned otherwise. You can check the tags in the git repos, or check the available versions on docker hub.
lemmy.ml is a lemmy instance run by the developers of lemmy. lemmy.ml is federated with hexbear, so you can read their posts and we can read your posts.
How does lemmy federation work in this case? Conceivably after being restored from backup the lemmy.ml instance could see those few hours of lost history as federated to other lemmy instances and resync it back as the host instance. Obv I’m vastly oversimplifiying things but what happens today?
It strikes me that there is the potential to use trusted remote servers as a means of recovering the lost data. I mean, nearly every lemmy instance except lemmy.ml will have copies of the missing data, and given the hugely redundant availability of that data (including the ability to compare from multiple sources to establish/verify trust), using that data to rebuild missing content seems like it could be useful functionality.
If I understand, federating contents through ActivityPub only works once. Sounds a good feature to re-download contents again, but may introduce additional work as there should be some way to know if a content is missing then another job to rebuild
That doesnt work because we generally cant trust remote servers. Plus we dont even know where to fetch from, so wed have to run a complete crawl of all known instances which isnt practical.
announcements
Active
This magazine is from a federated server and may be incomplete. Browse more on the original instance.