Max-P

Indicates to me the decision to do ActivityPub was bolted on very late in the project’s lifecycle, probably rushed to try to take the users flocking away from Twitter.

Because a lot of those limitations makes zero sense.

Lemmy wasn’t ready and still mostly not ready for a mass Reddit exodus. The Reddit API fiasco wasn’t anticipated by anybody and the large influx of users exposed a ton of bugs and federation issues.

But it’s not a failure, yet. I’m sure Reddit had growing pains after the Digg exodus too. Some platforms take years to become popular. Reddit was small for quite a while before it became more mainstream.

In a way to me Lemmy feels a bit like Reddit must have been a few years before I joined it 12 years ago.

The problem is the expectation that Lemmy could replace Reddit overnight, and would immediately be a 1:1 replacement.

Although personally I like it more here, and I get more interactions than Reddit. But I am a tech nerd, so.

My instance’s been running at ~0.8 of load average, everything on one box and it also runs Matrix and a few other services. I’ve never felt the need to SSH in and even look at it.

I know it doesn’t scale great but it’s far from the worst offender I’ve hosted either.

I forgot that was even a problem because of it 😂

To be fair, Lemmy is super alpha software. It’ll take months and years before the platform is mature and more user friendly and has an ecosystem of really good apps.

We’re like, emails just got invented era of fediverse. It’s having to explain that yes, if you have a Yahoo address you can still email Hotmail users 2 decades ago all over again.

Now that the big ones like Threads and Bluesky are joining, users will be more familiar with the concepts and it’ll get less… confusing.

This is what that looks like on a good Lemmy frontend:

I forgot the default UI didn’t do that. Both Tesseract and Boost handle those mostly just fine.

I haven’t encountered that particular one in a while. Usually it’s Lemmy links from elsewhere like Matrix or Discord or whatever that are annoying to deal with and needs redirecting.

Most apps seems to rewrite the links already just fine, at least Tesseract does. It’s not like the default UI is known to be good. It’s functional but the UX is terrible.

Some UIs do, I have Tesseract on mine and it rewrites the links for me.

That doesn’t solve sharing a link on Matrix/Discord/Google or wherever. I rarely have this issue on Lemmy itself, but whenever I get a link from elsewhere, that’s when I need to be able to open it on my home instance so I can interact with it.

Same deal with Mastodon. You’re reading some news, it links so the dev’s Mastodon, you need a way to open it in your home instance.

There’s no fixing that.

EDIT: test self link to this comment https://lemmy.world/comment/10561034

Because if you’re on say, lemmy.world because you clicked such a link, lemmy.world has no way of knowing what your home instance is. The cookies are all sandboxed for lemmy.world’s use. So even if you used a third-party site whose sole purpose is to know your home instance, it still wouldn’t work because now third-party cookies are sandboxes based on the domain of the site you’re visiting.

That used to be possible with a third-party. That’s how the Facebook like buttons and Login with Google used to work, and those are also the reason it’s no longer possible. You used to be able to just embed some JS from a third-party on a site, and that JS can access cookies from the third-party site while also being directly callable from the site that embedded it. So in that case, we could agree on a third-party lemmy redirector service whose sole purpose is to store the user’s home instance in a cookie and then the script can be embedded everywhere and it would be able to spit out the URL from the cookie. But that hole’s been plugged. So even if you do that, it doesn’t work anymore because of stronger cookie sandboxes. But that’s why you’d need third-party cookies to pull it off.

So the only fix left for this is, every lemmy instance you visit, you have to set your home instance on it, which would set a cookie that the site can actually see, then it could redirect you to your home instance to view the post. But that still kinda sucks, because you have to do it for every instance you run across.

So, cookies are useless for this.

That looks to be it, I recognize the long long list of instances in the code.

Is it the best? Don’t know but it works well enough.

I’ve been using a GreaseMonkey script to do that, I can’t find the exact one I used but there’s a bunch that do posts too, and extensions.

It would have to go through some sort of Lemmy link redirector service because a site can’t access another site’s cookies. And even then, with third-party cookie sandboxing, that still wouldn’t work.

I don’t think this is solvable without a browser extension. The best the devs could do is let you enter your home instance URL on each instance such that eventually you’ve configured them all and it works. But the extensions are just plain better.

There’s a bunch of browser extensions as well to add a “show on my instance” link whenever it detects a Lemmy instance page which basically does the same thing automatically for you, pretty useful.

Yeah the image proxy will stay off for me. Mangling user’s posts permanently is unacceptable, it’s like the whole HTML escaping thing again. You always want to store the original data in its original form that way you have the freedom to tweak the processing at runtime, and if you fuck it up the data isn’t permanently fucked up (again, like the 0.18 HTML crap that should never have happened).

If they do that, they can no longer complain that Meta is freeloading on them and get themselves banned by Meta like they did in Canada…

Kbin is an example. But just due to the nature of the protocol, it has to be stored somewhere but Lemmy also just lets admins view all the individual votes directly in the UI.

That’s fine to do once you’ve reported it: you’ve done your part, there’s no value still seeing the post it’s gonna get removed anyway.

Still report as well, it sends emails to the mods and the admins. Just make sure it’s identifiable at a glance, like just type “CSAM” or whatever 1-2 words makes sense. You can add details after to explain but it needs to be obvious at a glance, and also mods/admins can send those to a special priority inbox to address it as fast as possible. Having those reports show up directly in Lemmy makes it quicker to action or do bulk actions when there’s a lot of spam.

It’s also good to report it directly into the Lemmy admin chat on Matrix as well afterwards, because in case of CSAM, everyone wants to delete it from their instance ASAP in case it takes time for the originating instance to delete it.

The guy that manages Kbin has been having personal issues and stepped away from the fediverse so yeah Kbin is kind of in limbo at the moment and indeed not well moderated. There’s mods but there’s just so much they can do. The software doesn’t federate the deletions so even if they’re gone on Kbin, they remain everywhere else.

Masquerading a normal looking link for another one, usually phishing, malware, clones loaded with ads.

Like, lets say I post something like

https://www.google.com

And also have my instance intercept it to provide Google’s embed preview image, and it federates that with other instances.

Now, for everyone it would look like a Google link, but you get Microsoft Google instead.

I could also actually post a genuine Google link but make the preview go somewhere else completely, so people may see the link goes where they expect even when putting the mouse over it, but then they end up clicking the preview for whatever reason. Bam, wrong site. Could also be a YouTube link and embed but the embed shows a completely different preview image, you click on it and get some gore or porn instead. Fake headlines, whatever way you can think of to abuse this, using the cyrillic alphabet, whatever.

People trust those previews in a way, so if you post a shortened link but it previews like a news article you want to go to, you might click the image or headline but end up on a phony clone of the site loaded with malware. Currently, if you trust your instance you can actually trust the embed because it’s generated by your instance.

On iMessage, it used that the sender would send the embed metadata, so it was used for a zero click exploit by sending an embed of a real site but with an attachment that exploited the codec it would be rendered with.