🎉 thanks to the developers and everyone who helped!
one bug i noticed after the upgrade: my notifications page shows unread notifications for (what i guess is) every reply i’ve ever received which was later deleted. the count in the bell icon only reflected the actual new unread notifications I had received since I last looked, but when i click to view my unread notifications then all of these old ones about deleted messages appear to be unread now.
I could be wrong, but I interpret this post as being about Mastodon’s culture of being against search technology, which I find depressing and irritating for reasons I explained in that other thread as well as this one.
However, I just noticed a place where there is some lack of informed consent here on Lemmy: in the Lemmy UI, it appears that upvotes and downvotes are anonymous. I checked a long time ago, and realized that they weren’t really; the identity of the up or down voter is federated, but it is simply not shown by the UI.
I would assume that many (probably most) lemmy users do not realize this: admins of your own instance and all federated instances have the ability to see who upvoted and downvoted what.
It just now came to my attention that Friendica actually is showing this information publicly, in the form of “$username does not like this” for a downvote! https://rytter.me/display/4c906314-4763-d3aa-4584-11a516756414 🤣
(hey @OptimusPrime@lemmy.ml … why did you downvote that? I myself am also listed there as not liking it; I downvoted it as a test to confirm my assumption that it would show up as “does not like”, and then when I undownvoted it that event apparently didn’t get federated.)
imo these are the kind of “informed consent” issues that fediverse developers should be thinking about, rather than “how can we increase the power imbalance by making it so that only the elite are allowed to have fulltext search… in the name of justice” as so many seem to be hell-bent on doing.
i clicked a button that most lemmy users would assume is an anonymous up/down vote and now my name is listed on a 3rd party website saying i “don’t like” something (even though I tried to undo it). #thisisfine
?
you could open the terminal and type ping -c 1 lemmy.ml
which will send an echo request to lemmy and see if it replies, and will also tell you what IP address your computer is currently resolving the name to. if it is an IP address other than 51.38.185.90 then you are dealing with DNS censorship which is usually easy to circumvent by using a different DNS server. if it has the correct IP and some error message or a timeout, that would be interesting.
if you want to paste the output of that command here, to copy text from the terminal to your clipboard you can use ctrl-shift-c (instead of ctrl-c like in other programs, because in the terminal ctrl-c by itself sends an interrupt signal to the running program).
lemmy.ml currently appears to be hosted on a French OVH IP address (51.38.185.90).
Do you know who is blocking it, or why?!
Hopefully it is just DNS blocking, so you could circumvent it by using a different DNS server?
Are you running the software that you want to be listening on that port while you’re doing the test? Are you sure it is actually listening on that port? You can see which ports which programs are listening on with the command sudo ss -tulpn
(those options tell it to display tcp and udp listening ports and program names, and to not try to resolve IP addresses into names; see man ss
for details).
If you’ve opened the port in your gateway and your local firewall and you’re running the software, it seems like it should work… one possible reason why it might not would be if you’re double NAT’d (eg the NAT gateway you’re configuring is itself behind another NAT gateway). To see if this is the case, try to find in the router’s web interface if it says what its WAN (upstream) IP address is. If it’s something else in an RFC1918 range (192.168.x, 10.x, or 172.16-31.x) then you’re double NAT’d and need to figure out how to configure the outer NAT gateway.
I’m guessing that your computer doesn’t have its own public IP address, so, opening ports on its firewall doesn’t actually make them reachable on the internet yet. You’re probably behind a NAT gateway (eg, the modem/router your computer is connected to the internet via), so you need to open a port there and direct it to your computer.
NAT allows your whole LAN to share a single public IPv4 address, which means that for inbound connections the gateway needs to be configured to know which LAN address to send inbound traffic on a given TCP/UDP port to.
On your linux computer you can find out the IP address of your router with the command ip route |grep default
, and then you can browse to that address in your web browser. You’ll most likely need its password (maybe it’s written on the bottom of your router/modem?). Once you’re logged in to its web interface, you’ll hopefully be able to figure out how to use it to open/allow/map/route ports to your computer.
edit: it looks like the URL you’re using to test is referring to a different port than any of the ones you said you’ve opened with ufw
, which might be a problem? also, btw, the ufw allow
command takes effect immediately - you don’t need to systemctl restart ufw.service
afterwards.
Good twitter thread here claiming the original one saw a 500% boost in Navy applicants (a number claimed numerous other places but which I gave up looking for a source for after a couple minutes). Meanwhile here is the US Naval Institute claiming that, instead of Top Gun, the late 80s enlistment increase should be attributed to increased spending on recruiting (ignoring that some of that money most likely helped subsidize the film), even though there were recruiters in theaters then too and 90% of applicants in some cities had seen it… and therefore concludes implausibly that the new film’s “effect on the service’s recruiting will probably be small at best”.
…note that Reuters reported back in February that “The critical Yamal pipeline has dropped to a fraction of its normal flow from Russia. Since Dec. 21, the pipeline has been flowing in reverse, from west to east, sending German gas reserves to Poland. Russia oil giant Gazprom had declined to order any transit capacity across the route for February, while it has kept Nord Stream 1 flowing at near maximum capacity rates.”
Today RT reports a Gazprom official says “This week Poland refused to pay for the Russian gas with the new terms, in rubles. It was grandly announced that they no longer needed Russian gas and would not buy it any more. But in fact Poland keeps buying Russian gas after the direct supply was halted. It now buys the gas from Germany, and it comes back to Poland with the reverse flow via the Yamal-Europe pipeline”.
more coverage from Business Insider, CNN, AP.
This story really does not belong here in the “ukraine_war_news” community.
The only connection to the war is that they’re originally from Ukraine (but have been in the US for six years) and that someone apparently made a petition supporting them which incorrectly suggests that they could possibly be deported to Ukraine during the war. (By my understanding of US law, they will not in fact be deported until after serving their sentence in the US if they are convicted.)
It’s a desktop environment for free/libre operating systems.
/e/OS
Last time I looked, /e/ OS was going-to-be-open-source-later software (but was already distributing images). Now it looks like they have published a lot of source code but their FAQ ominously says
Yes – all our source code is available and you can compile it, fork it. Some pre-built applications are used in the system; they are built separately from source code available here, or synced from open-source repositories such as F-Droid. We ship one proprietary application though.
…which, for me, goes from cool to wat to nope in three sentences.
(I do wonder what their one proprietary app is, but am not going to spend more than the minute i just spent trying to find the answer to that question.)
Lemmy has an API and Reddit has an API, so, what you want shouldn’t be too difficult.
If you don’t want to start from scratch you could fork something actively maintained that uses the reddit API already, like tootbot, so that you only need to implement the Lemmy side.
You could ask on their forum or matrix channel. I just noticed that neither GNOME Foundation nor RedHat are listed on that about page, both of whom iirc are actually very involved. This post says “GNOME has a donor who is interested in supporting financial sustainability for app developers and removing barriers to an inclusive ecosystem. Flathub would like to use these funds to work with a contractor for a short-term project and make steps towards supporting application developers being able to request payments (whether donations or subscriptions).”
edit: reading more of that thread, I see another recent funder (possibly the aforementioned GNOME funder?) is “Endless Network”… inventors of “The World’s First Pay-As-You-Go PC” 🤦
There are currently six companies listed here, but, the important thing is that the flatpak client software can install things from places other than flathub (and the server-side software running flathub is free software).
The snapcraft server-side software is closed source, and even if someone reimplemented it they would also need to fork the snapd client software as the snapcraft URLs are hardcoded and not reconfigurable.
lemmy.ml is still bigger overall, but lemmygrad is more active over the last month
I agree that compared to the average carrier-provided or manufacturer-provided Android system, iOS out-of-the-box is less horrifically bad for privacy. But that is an extremely low bar :)
but Google is a advertising company
Apple is also in the advertising business, and is also an NSA collaborator.
Thanks, I edited the post to add Guix and Nix to the timeline.
It’s worth noting that Guix also packages WPE WebKit (another embeddable version of WebKit, which shares a version numbering scheme with WebKitGTK) from the same .scm file and for some reason has still not updated that (despite having just upgraded it the previous month to address another security problem).
(WPE WebKit is used far less than WebKitGTK on desktop OSes, but it can be used for things like webkit overlays in gstreamer pipelines…)
Seeing this post and wondering about the security implications of using a browser like this from Flatpak led me to make this post.
First, I want to say thank you for making Lemmy and for running this instance!
But, this “promotion initiative” strikes me as questionable idea for two reasons:
Having many instances hosted on the same infrastructure defeats a lot of the purpose of the federated model. If/when this infrastructure goes down for whatever reason, many instances will be affected.
If I understand your offer correctly, you’re actually only offering free hosting for one year? So, after a year, if the admins aren’t able to provide their own infrastructure, will you stop running their instances? This seems like it will inevitably leave a lot of users with a very negative impression of lemmy, when all of their posts and comments evaporate in to thin air.
Maybe the overlap between the set of people who are capable of running their own server and the set of people who would use a service like this is larger than I’m imagining, but I’m quite certain there are a lot of people in the second set who are not in the first.
It seems to me that a better approach would be to focus on making it as easy as possible to deploy lemmy, to encourage more instances on diverse infrastructure. (I see you already already have Docker, Ansible, and AWS instructions; as an aside, I recommend replacing the AWS instructions with a note recommending that users boycott Amazon…)
In some regions and on some issues (such as the currently-existing states that identify as Marxist-Leninist) Amnesty’s positions tend to be strongly US-aligned, while on other topics (such as Palestine, US domestic issues, and WikiLeaks) they’re very much not aligned. It turns out politics aren’t reducible to a small boolean circuit :)
When a website uses cloudlfare, TLS encrypts the connection (including passwords, etc) from your web browser to cloudflare - not from your browser all the way to the actual site you’re logging in to. (Then, if the request can’t be satisfied by cloudflare’s cache, there is another TLS connection from cloudflare to the “origin server”.)
In either case, Cloudflare sees everything sent to hostnames hosted by them.
Some sites might have your password sent to a different hostname that isn’t hosted by cloudflare, in which case they wouldn’t see your password, but, they would typically still see the resulting session cookie which allows someone to log in as you.
Cloudflare is like any other machine-in-the-middle attack except instead of being something everyone knows they should avoid, it somehow is a service that some people actually pay for (perhaps because they like to imagine that their website might one day be so popular that their VPS would insufficient to serve it).
In case you actually do need a CDN (and I’d guess 99.9% of cloudflare sites don’t), the correct way to do it is to use the CDN only for static content like images and video. Ideally the CDN shouldn’t need (or have) any cookies, and, if you don’t want to give the CDN (or malicious parties acting under their authority) the ability to hijack your users accounts, then you shouldn’t rely on them for hosting javascript either.
fzf is awesome but i keep forgetting it exists, thanks for the reminder.
This is a great writeup, but I’m not thrilled with the disclosure timeline.
Why did the author notify Google prior to submitting the patch to LKML, but then wait another whole week after that before notifying any other Linux distributors? (The LKML post doesn’t say that the bug it fixed is an exploitable vulnerability, but after the fix was public there was a much higher chance that attackers could realize that it is.)
Also, did any distros ship updates on March 7 when the vulnerability became fully public? Given that they were notified on February 28, it seems like they should have, but none of the ones I’ve checked did. (And while some have now, many still haven’t!)
As someone wrote in 2017 at Ubuntu Bug #1728616: using ‘devel’ in sources.list causes apt-get update to fail [via]:
The whole ‘devel’ thing has been half-broken in one way or another since it was introduced. My advice is just to not use it. And I honestly think we should remove all remnants of it from launchpad and the Ubuntu/PPA archives as well. Trying to treat “the latest at any given point” as the same thing as a “rolling” distribution may have been fun to score some political points, but it doesn’t actually do useful things.
Looking at the issues for “rolling-rhino” it looks like that is still the situation today.
telegram is (and has always been) terrible for privacy.
it’s great for cops around the world, more so in countries where telegram cooperates with them but also in ones where they don’t.
nobody should use telegram.