So if you do the Docker setup, obeying the instructions and substituting everything that needs to get substituted, but don’t proofread the files in detail and so miss that line 40 of docker-compose.yml doesn’t have the variable {{domain}} like in every other location you need to write your domain, but instead just says LEMMY_UI_LEMMY_EXTERNAL_HOST=lemmy.ml and so you fail to change it away from lemmy.ml… then, everything will work, until you type in your admin password for the first time, at which point your browser will send a request to lemmy.ml which includes your admin username, your email address, and the admin password you’re trying to set. And, also, of course your IP address wherever you are sitting and setting up the server.

I have no reason at all to think the Lemmy devs have set their server up to log this information when it comes in. nginx will throw it away by default, of course, but it would be easy for them to have it save it instead, if they wanted to. And my guess is most people won’t use a different admin password once they figure out why creating their admin user isn’t working and fix it.

@dessalines@lemmy.ml @nutomic@lemmy.ml I think you should fix the docker-compose.yml file not to do this.

Edit: Just to increase the information-to-rudeness ratio of my post. The docs are at:

https://join-lemmy.org/docs/administration/install_docker.html

And they recommend using wget to download:

https://raw.githubusercontent.com/LemmyNet/lemmy-docs/main/assets/docker-compose.yml

Which is pulled from:

https://github.com/LemmyNet/lemmy-docs/tree/main/assets

Which is what has the wrong line 40 in it.

  • AusatKeyboardPremi@lemmy.world
    53·
    6 hours ago

    Thank you for discovering this, and creating awareness around it.

    Seems like a genuine miss, contrary to what the comments here would have one believe, given that the compose file (and rest of the docs) were mostly derived from whatever worked for the developers themselves.

    • PhilipTheBucket@ponder.catOP
      161·
      5 hours ago

      Seems like a genuine miss, contrary to what the comments here would have one believe,

      You might be right. I looked at the history and the way it came in, and it’s not as wildly anomalous to the rest of the file when looked at in context. Maybe it’s just a mistake.

    • PhilipTheBucket@ponder.catOP
      604·
      8 hours ago

      The longer I look at it the more suspicious I am of it, to be honest. I’m just kind of generally a paranoid and accusatory person, so take that into account, but… the files are pretty carefully set up. They have variable substitutions for everything, including a bunch of places where there’s a template substitution to change a string around when setting cache keys so that it’ll still work out-of-the-box right away, even in complex configurations like multiple domains on a single server. It all works out-of-the-box right away, they’ve clearly been attentive to making sure it’s all set up right and keeps working cleanly as things have been evolving forward. Except for that one place.

      • lorty@lemmy.ml
        1038·
        8 hours ago

        If we are entertain this idea, what could they possibly gain from this? Stealing passwords isn’t effective if the victim knows it’s been stolen.

        • otacon239@lemmy.world
          24·
          8 hours ago

          That’s just it. Someone might not realize that all that info was passed to the server when it failed if they weren’t thinking about it. They’d just correct their mistake and move on with their day, especially if they’re new to server administration as I’m sure many (not necessarily most) Lemmy admins would be.

        • PhilipTheBucket@ponder.catOP
          296·
          8 hours ago

          I think it would be very rare that people would put two and two together to realize that their password had been “stolen” by this event. Like I say, I have no real idea even if it is being stolen, just that it would be trivial for .ml to decide that they wanted to start keeping a little cache of everyone’s admin email addresses and passwords.

          Like someone else said, if it was anyplace other than lemmy.ml, I wouldn’t give it a second thought, it would just be “whoa you gotta fix this.” I sort of agree with you that there’s not even really any strong indication that there’s anything all that bad they could do with it. It’s only because lemmy.ml moderation actions already have such a pattern of authoritarian dishonesty that I get to any degree paranoid or alarmed about it.

        • MotoAsh@lemmy.world
          146·
          8 hours ago

          “What could they possibly gain from having keys to the kingdom?”

          rofl! Continue proving how absolutely brainless bootlickers are… It’s a good fit for you.

      • PhilipTheBucket@ponder.catOP
        213·
        7 hours ago

        Yeah, don’t they realize they could have just spent that time productively by making a pull request, instead?

          • PhilipTheBucket@ponder.catOP
            184·
            6 hours ago

            I mean probably I should. There are a bunch of people accusing me of being dick headed and petty and they’re not completely wrong. Honestly, I just don’t feel like helping the Lemmy devs. Dessalines, at least, is totally unapologetic about being a dickhead to people he has power over. That puts me in a mindset where, mostly, I want to talk to other people about potential harm he’s in a position to do, and not really in a mindset where I want to do even a small amount of extra work on his behalf.

            I’m going to tell other people that he’s in a position to take their passwords. If he wants to see that and put himself not in that position anymore? Great, I think he should. If he gets his feelings hurt because I’m not being super friendly about it? Well… okay. I’m not trying to be malicious about it or do anything other than clearly communicate the problem. But it seems like the lemmy.ml “in charge” crew in general has a lot of a mentality that’s kind of like, “Well, I’m in charge, and you’re not, so fuck what you think and fuck your rights. Ban.” (or whatever). The way I operate is that really makes me not want to be extra friendly or courteous to people. I used to have a regular donation to Lemmy development set up, I used to take it seriously the idea of getting involved in contributing to the code, and then I observed how they operate, and … like I say I’m mostly talking to the other people involved who I think should be aware of this. If the devs want to react, fix it, or get involved in the conversation, then sure, sounds good.

            The fix is in the comments below, if someone else wants to contribute it and do the very small amount of work of getting it in.

            • percent@infosec.pub
              134·
              6 hours ago

              It sounds like a pull request would have been much more helpful, with much less effort. But you want it fixed less than you want it publicized, so you chose this option (even though you could have done both).

              In other words, you cared less about the people impacted by this problem, and more about your own opportunity to put the author(s) on blast like this.

              And you care about that opportunity so much, that it’s even worth it to show this dark side of yourself publicly.

              Am I understanding that right?

              • BassTurd@lemmy.world
                91·
                5 hours ago

                Or OP is spreading the word to get it out there. Now it’s got eyes on it thanks to OPs work.

                Jesus. Some of you people just want to shit on someone for doing a good thing for no reason. Have you put in a pull request yet or are you just showing your dark side on top of being a dick to OP who did something good?

                • PhilipTheBucket@ponder.catOP
                  61·
                  5 hours ago

                  One of the .ml users down below volunteered to put in the PR later tonight if no one else has, so it sounds like both bases are covered now.

                • percent@infosec.pub
                  3·
                  5 hours ago

                  They could have done both.

                  If it’s not fixed by Monday, I will consider starting the approval process from the legal department that requires it from me.

                  I wish I had the freedom to just open a PR anywhere anytime, but I don’t.

              • PhilipTheBucket@ponder.catOP
                5·
                6 hours ago

                Let’s not get carried away. Shared software systems are about more than the software. If you’re looking only at the software, and that was literally 100% of what is important here and nothing else, then yes, you’re right.

                But you want it fixed less than you want it publicized

                100%. Yes. Correct. I also want it fixed, but that’s completely trivial, with or without the pull request.

                • irishPotato@sh.itjust.works
                  1·
                  49 minutes ago

                  I think there you hit the nail on the head! Just the fact that it is in there, whether intentionally or not is something that warrants warning people about. So that in the case someone goes to set up a server, they at least know that recently there was this rather severe risk of unnecessary credential exposure, again no matter if it was intentional or not.

                  However, I will say that I think I would have also opened the PR, not to help the original dev necessarily, but helping those that might come to use the software later.

            • TachyonTele@piefed.socialEnglish
              138·
              6 hours ago

              Regardless of all that drama, you could have spent five minutes at anytime in the last two hours writing significantly less than you have, and putting the the request in.

              You could have been done doing it in-between replies. Just saying.

      • Boomer Humor Doomergod@lemmy.worldEnglish
        568·
        8 hours ago

        “Of course the Central Committee would have access to your instance. Why is that a problem? Are you doing something counter-revolutionary?!”

    • OpenStars@piefed.socialEnglish
      243·
      7 hours ago

      We are using their tools though…

      Well, you are, while I am on PieFed:-P If you do not like what you’ve heard here, then consider switching to Piefed.World (Lemmy.World’s recently-announced PieFed replacement for Lemmy)

      • tal@lemmy.todayEnglish
        8·
        7 hours ago

        Oh, that’s interesting. Didn’t know about that.

        I don’t think that there’s a way to list instances that a PieFed instance has defederated from, unlike Lemmy; while both have a list of instances at /instances, only Lemmy indicates which ones have been defederated from. It was a helpful tool to help me guess the sort of content an instance had.

        Like:

        https://lemmy.world/instances (under “Blocked Instances”)

        https://piefed.world/instances

        EDIT: It does show the last time that the instance sent data, and I guess you could sort of guess that if a large instance that probably has activity hasn’t sent data to the PieFed instance recently — like lemmygrad.ml and hexbear.net on piefed.world — then they’re probably defederated. But it doesn’t clearly indicate that this is the case, either.

    • lorty@lemmy.ml
      3526·
      8 hours ago

      Why are you assuming malice when this is probably just a mistake/oversight?

  • Aatube@kbin.melroy.org
    71·
    5 hours ago
    rise up against dockers and the evil empire of containerization! reproducibility! microservices! middle management! security!

    /j

    • PhilipTheBucket@ponder.catOP
      11310·
      9 hours ago

      I think it should be more public knowledge than just people who peruse the github issues. Also, it’s so trivial to fix that it will save them some time if they don’t have to close the issue after they spend literally 10-15 seconds fixing it.

        • PhilipTheBucket@ponder.catOP
          1567·
          9 hours ago

          It would literally take me longer to make the github issue than it would take them to fix it, by quite a big margin. You can make one for it, if you still feel super-strongly about it though.

          • limer@lemmy.dbzer0.comEnglish
            381·
            8 hours ago

            I am a lazy unreliable person. But I find value in what you found and want it fixed.

            If you don’t do it, it probably will not get fixed so fast

            • PhilipTheBucket@ponder.catOP
              1724·
              8 hours ago

              I cannot imagine any responsible dev who would read this notification and say anything other than “Oh shit, yeah, that’s really bad,” and fix it on the spot before they continue with whatever they had visited Lemmy to do. Like I say, it’s relevant that it takes literally seconds to grasp the issue and fix it.

              I don’t fully disagree with you, I get it, github issues is where issues with the software belong. I wasn’t trying to be a jerk by suggesting that you do it. Anyone from these comments is welcome to. But, also, I am sort of curious about what their reaction will be. Finding out that kind of thing is interesting to me.

              If they are actively uninterested in fixing it, however they get made aware of it, then that’s really interesting.

              • limer@lemmy.dbzer0.comEnglish
                208·
                8 hours ago

                Pretty sure it’s an oversight but devs are overworked, really overworked

                There are many more important things to fix before this.

                But an issue will put it in the todo list

                • Deceptichum@quokk.auEnglish
                  144·
                  8 hours ago

                  I wouldn’t give them the benefit of the doubt, the devs are dodgy fuckers.

                • PhilipTheBucket@ponder.catOP
                  1513·
                  8 hours ago

                  Within the last hour, dessalines has posted three things about communism that are longer than the fix for this issue.

                  Edit: Everyone’s got the right to do whatever they want to do. I’m not trying to accuse anyone of not spending enough time making software for me, just because occasionally they might want to do some other things with their life. The thing I’m trying to emphasize with this is how short the fix is. It’s seconds. It’s not one of those “but you have to recompile, what about this other branch” or anything like that. It’s literally a fairly critical security fix with 100% of the fix in a one-line change to a documentation file.

              • fishos@lemmy.worldEnglish
                148·
                8 hours ago

                Oh I abso-fucking-lutely can imagine seeing someone spamming me with DMs or making a public post to try and shame me instead of commenting on the actual source project going straight into my “ignore this twat” pile. This post is just a cry for attention. You’re trying to be some sort of hero, saving us from evil or some shit.

                Go make a GitHub request like a reasonable normal person and stop cluttering up others feeds with this inane bs.

                • PhilipTheBucket@ponder.catOP
                  117·
                  8 hours ago

                  I am not typing here in the hopes that they will fix it. I am typing here to communicate to other users what’s up with it. Whether or not to fix it is up to them. You’re welcome to your opinion.

          • dastanktal@lemmy.ml
            227·
            8 hours ago

            It literally takes a minute to make a GitHub issue and you could have linked it here for your conversation. Probably would have helped the admins of ml change things. Especially considering that things like this get overlooked all the time in open source projects.

          • n3m37h@sh.itjust.works
            1811·
            8 hours ago

            And look at how much time you wasted defending your position to not post a github issue. Fucking unbelievable that you will publicly complain but NOT bring the issue up with the devs

            Fuck people like you

    • southsamurai@sh.itjust.works
      72·
      6 hours ago

      Just for the hell of it, I don’t know about OP, but I don’t even know how to.

      I went to the relevant linked section and couldn’t find a way to raise an issue directly. I’m going to try again, and if I succeed I’ll return here and make a top level comment for anyone scrolling by and wondering. I’ve never tried to do this before, so I’ll see how it goes.

      Edit: aha!

      You have to go to the issues page and select the “new issue” button, where you’ll be directed to log in to github.

      Which, for me, means I’m finished trying. No desire whatsoever to have another login for a one time thing. If I ever manage to learn enough code to do anything like this often enough, I’d do it, but it just isn’t worth it to satisfy my curiosity about the process.

  • DeathByBigSad@sh.itjust.works
    262·
    8 hours ago

    Bruh

    Now I have trust issues with open source programs.

    points glock at VLC Media Player

    “WHO THE FUCK DO YOU WORK FOR? TRYING TO JUMPSCARE ME?”

    💥🔫
    💥🔫
    💥🔫
    💥🔫
    💥🔫
    💥🔫

    • Stovetop@lemmy.world
      16·
      7 hours ago

      I’m reminded of stories I’ve heard of graduate students hiding a note and some cash in the pages of their theses that they submit to the university, just to see if anyone bothers reading it and takes the cash. They return years later to find it still there.

      With open source, the code is all there ready for review by anyone, as long as you have the technical knowhow and patience to review the code you use. But like reading the terms and conditions for everything we use, how many people actually take the time to go through all that code?

    • PhilipTheBucket@ponder.catOP
      122·
      7 hours ago
      --- a/docker-compose.yml	2025-07-12 00:17:33.050443300 +0000
+++ b/docker-compose.yml	2025-07-12 00:18:21.038972526 +0000
@@ -37,7 +37,7 @@
     image: dessalines/lemmy-ui:0.19.12
     environment:
       - LEMMY_UI_LEMMY_INTERNAL_HOST=lemmy:8536
-      - LEMMY_UI_LEMMY_EXTERNAL_HOST=lemmy.ml
+      - LEMMY_UI_LEMMY_EXTERNAL_HOST={{ domain }}
       - LEMMY_UI_HTTPS=true
     volumes:
       - ./volumes/lemmy-ui/extra_themes:/app/extra_themes

      Edit: From https://github.com/LemmyNet/lemmy-docs/tree/main/assets

  • socsa@piefed.socialEnglish
    2520·
    8 hours ago

    The funny part about this post is that @dessalines@lemmy.ml literally will not post on this instance (or most instances besides the tankie triad) because he is a coward.

    • MotoAsh@lemmy.world
      1717·
      8 hours ago

      You speak truth, and the proof is that coward will not even aknowledge this news. Mark my words… tankies are just fascists of a different degeneracy.

  • BlackLaZoR@fedia.io
    1619·
    8 hours ago

    Marxist-Lenninist being a totalitarian invigilation freak. Colour me surprised