Hey folks!

It’s time for some lemm.ee updates! Feel free to skip ahead to whichever sections seem interesting to you.

New bot rules

The reception to my previous meta post was very positive, so we are going ahead with the new bot rules on lemm.ee. The new rules have been added to our front page sidebar and will be enforced by admins starting on the 1st of August.

The final version of the rules look like this:

  • All bot accounts must be explicitly marked as bots
  • Bots must not vote on any posts or comments
  • Bots must disclose their specified purpose in their profile
  • Bots must not be responsible for the majority of content in any community

The goal for now is to limit bots to a support role. In other words, we have nothing against bots which are used to support running a community for real people, but we do not currently want to host communities which are completely filled with bot content on lemm.ee.

It’s definitely true that bot-only communities might provide valuable content, but we need to balance this value with how bots affect our feeds. If in the future the volume of organic user-created content on lemm.ee increases to a point where bots can’t easily overwhelm the local feeds, then we may reconsider the last rule.

I apologize again to any bot developers who have chosen lemm.ee as the home for your bot-driven communities, I hope you can find another instance without too much trouble.

0.18.3 update

Last week, lemm.ee was updated to Lemmy version 0.18.3. We were previously already running a patched version of 0.18.2 which included many of the performance improvements that landed in .3, so the upgrade did not have as much of an effect on lemm.ee as it probably did on many other instances.

In any case, we are now again running on a completely unmodified version of Lemmy, and will continue to do so until there are performance or security reasons to run a custom patch again.

lemm.ee stance on hosting alternate Lemmy frontends

In the past few months, a lot of alternate web UIs for Lemmy have started cropping up. I’ve checked out a few of these and I think a few look really cool!

While such frontends generally provide ways to use them without being directly hosted on any specific instance, some instances have begun hosting such frontends on their own servers as well. I’ve also received a few dozen requests to host such frontends directly on lemm.ee. I would like to address these requests directly here.

For the time being, I am not planning to host any other frontends than the default lemmy-ui on lemm.ee. There are several reasons for this.

I am personally familiar with lemmy-ui code (to a reasonable extent). I know what it’s doing overall, I know several of its pitfalls and I am able to quickly react in case of issues. As just one example, lemm.ee was the first instance in the world which fixed the weak script-src CSP in lemmy-ui that enabled the recent login session breach on some other instances - this is because I deployed the code on lemm.ee before I submitted a PR to the lemmy-ui repo with the fix.

The above would not be true for alternative frontends. I don’t have the capacity to go through the implementation details of additional projects at the moment, so I have no idea what the code would be doing in any third party UI. I have no way to guarantee that it’s not malicious to begin with. Even if the code is not malicious, I would not be able to quickly apply patches if problems crop up.

As a result of all this, I am not comfortable with hosting these third party frontends on lemm.ee for now. Note that this does not mean you’re not able to use such frontends with lemm.ee - all the ones I’ve checked will work perfectly fine without being hosted on the same domain as the instance itself. But as with any 3rd party app, please be careful when using these frontends - by doing so, you are effectively sharing your username and password with anybody who is developing and hosting them.

Personal note

Some of you may have noticed that I have been a bit less active in the several Lemmy-related communication channels & GitHub for the past week or so. The reason for this is that I’ve had two stressful things happen: earlier this month, I found extensive water damage in my house which is not covered by insurance. Even worse, shortly after this discovery, I received news that my current place of work, a startup, is shutting down at the end of August (mostly due to changed market conditions).

As a result, I’ve been spending a fair bit of time trying to deal with the renovation of my house & now am also spending additional time trying to figure out where I can land in terms of employment in order to keep putting food on the table. Nevertheless, I am hoping to get back to more Lemmy contributions soon.

Sorry to use this space for selfish purposes, but I would like to take this chance to note that if anybody is looking for a remote software engineer, I am currently open to new opportunities! Just as a short overview about myself:

  • I’ve been working as a software engineer for over a decade, about 5 years in technical leadership roles
  • I have experience with end to end ownership of software platforms - everything from writing code to running it in production
  • I’m based in the EU but happy to work in either EU or US timezones
  • For the past few years, my main tech stack has been TypeScript (nodejs/react) + Postgres + Terraform, but I have extensive experience with a lot of other technologies and generally am quite adaptable
  • I have experience running platforms at considerably bigger scale than Lemmy

I would of course happily go into much more details if you contact me directly, so if this is interesting to anybody then please feel free to reach out!

Also, please let me assure anybody who is worried: lemm.ee funding is not currently in jeopardy. For the next couple of months, lemm.ee is not even dependant on a single cent of my own financial contributions, as community support has provided enough money already to give us a nice buffer. I am planning to write a summary of our financials in the next few weeks, please keep an eye on the meta community if you’re interested in seeing this!

That’s all for now, thanks to anybody who has made it this far! As always, please feel free to leave comments below if you have any thoughts or questions.

  • athlon@lemm.ee
    link
    fedilink
    arrow-up
    27
    ·
    edit-2
    1 year ago

    As an author of one Lemmy front-end, I can confirm that you are potentially sharing your username and password. Unfortunately, there is no way for Lemmy front-end developers to, say, open a web socket to Lemmy instance and have you login through a web browser (which would be much prefered from security standpoint, but it is what it is).

    Furthermore, from what I see, many of such front-ends store your password, instead of just the Bearer token. Unfortunately, from what I get, there is also no way of invalidating the Bearer tokens right now, so in the event of it getting stolen - you’re f***ed.

    Now, couple of tips:

    • USE 2FA AUTHENTICATION. In the event of malicious app actually stealing your credentials, you are at least a little bit more protected by this layer.
    • Use password manager - do not use your banking password, please.
    • Only use trusted front-ends, and in the even of an app, only download versions from official sources maintained by the app author.
    • Make sure the instance you’re registered at has a valid HTTPS certificate.