So if you do the Docker setup, obeying the instructions and substituting everything that needs to get substituted, but don’t proofread the files in detail and so miss that line 40 of docker-compose.yml doesn’t have the variable {{domain}} like in every other location you need to write your domain, but instead just says LEMMY_UI_LEMMY_EXTERNAL_HOST=lemmy.ml and so you fail to change it away from lemmy.ml… then, everything will work, until you type in your admin password for the first time, at which point your browser will send a request to lemmy.ml which includes your admin username, your email address, and the admin password you’re trying to set. And, also, of course your IP address wherever you are sitting and setting up the server.

I have no reason at all to think the Lemmy devs have set their server up to log this information when it comes in. nginx will throw it away by default, of course, but it would be easy for them to have it save it instead, if they wanted to. And my guess is most people won’t use a different admin password once they figure out why creating their admin user isn’t working and fix it.

@dessalines@lemmy.ml @nutomic@lemmy.ml I think you should fix the docker-compose.yml file not to do this.

Edit: Just to increase the information-to-rudeness ratio of my post. The docs are at:

https://join-lemmy.org/docs/administration/install_docker.html

And they recommend using wget to download:

https://raw.githubusercontent.com/LemmyNet/lemmy-docs/main/assets/docker-compose.yml

Which is pulled from:

https://github.com/LemmyNet/lemmy-docs/tree/main/assets

Which is what has the wrong line 40 in it.

Edit: They fixed it. Good stuff.

    • PhilipTheBucket@ponder.catOP
      13015·
      19 hours ago

      I think it should be more public knowledge than just people who peruse the github issues. Also, it’s so trivial to fix that it will save them some time if they don’t have to close the issue after they spend literally 10-15 seconds fixing it.

      • Azzu@lemmy.dbzer0.com
        54·
        4 hours ago

        There is no other reason to do it like this in a Lemmy post other than you want to publicly discredit the devs somehow. This is quite obviously a mistake and not a way to harvest admin passwords. Just fixing it and not trying to stir up shit would have been the right thing to do.

        • PhilipTheBucket@ponder.catOP
          2077·
          19 hours ago

          It would literally take me longer to make the github issue than it would take them to fix it, by quite a big margin. You can make one for it, if you still feel super-strongly about it though.

          • limer@lemmy.dbzer0.comEnglish
            463·
            19 hours ago

            I am a lazy unreliable person. But I find value in what you found and want it fixed.

            If you don’t do it, it probably will not get fixed so fast

            • PhilipTheBucket@ponder.catOP
              2332·
              18 hours ago

              I cannot imagine any responsible dev who would read this notification and say anything other than “Oh shit, yeah, that’s really bad,” and fix it on the spot before they continue with whatever they had visited Lemmy to do. Like I say, it’s relevant that it takes literally seconds to grasp the issue and fix it.

              I don’t fully disagree with you, I get it, github issues is where issues with the software belong. I wasn’t trying to be a jerk by suggesting that you do it. Anyone from these comments is welcome to. But, also, I am sort of curious about what their reaction will be. Finding out that kind of thing is interesting to me.

              If they are actively uninterested in fixing it, however they get made aware of it, then that’s really interesting.

              • limer@lemmy.dbzer0.comEnglish
                2610·
                18 hours ago

                Pretty sure it’s an oversight but devs are overworked, really overworked

                There are many more important things to fix before this.

                But an issue will put it in the todo list

                • Deceptichum@quokk.auEnglish
                  175·
                  18 hours ago

                  I wouldn’t give them the benefit of the doubt, the devs are dodgy fuckers.

                • PhilipTheBucket@ponder.catOP
                  1917·
                  18 hours ago

                  Within the last hour, dessalines has posted three things about communism that are longer than the fix for this issue.

                  Edit: Everyone’s got the right to do whatever they want to do. I’m not trying to accuse anyone of not spending enough time making software for me, just because occasionally they might want to do some other things with their life. The thing I’m trying to emphasize with this is how short the fix is. It’s seconds. It’s not one of those “but you have to recompile, what about this other branch” or anything like that. It’s literally a fairly critical security fix with 100% of the fix in a one-line change to a documentation file.

                  • locuester@lemmy.zipEnglish
                    2611·
                    18 hours ago

                    Wow you typed a LOT to defend not making a GitHub issue. That energy redirected to writing a GitHub issue would be stellar.

                  • dastanktal@lemmy.ml
                    178·
                    18 hours ago

                    Go fix it yourself. You’re correct that’s the admin’s problem but if you’re so insistent that it takes a minute go submit a merge request real quick.

                    Also it’s only a security breach if you don’t change the admin password or your domain which should be standard for setting things up on the Internet anyway.

                  • limer@lemmy.dbzer0.comEnglish
                    178·
                    18 hours ago

                    Why don’t you a pull request and fix it yourself ? If you have the ability to recognize and know what to fix, and if you care, do it!

                    I know I’m too lazy to help them, what is your excuse ?

                    I swear, I might just get off the fence and help them myself on unrelated issues, it’s making me that unsettled

              • fishos@lemmy.worldEnglish
                209·
                18 hours ago

                Oh I abso-fucking-lutely can imagine seeing someone spamming me with DMs or making a public post to try and shame me instead of commenting on the actual source project going straight into my “ignore this twat” pile. This post is just a cry for attention. You’re trying to be some sort of hero, saving us from evil or some shit.

                Go make a GitHub request like a reasonable normal person and stop cluttering up others feeds with this inane bs.

                • PhilipTheBucket@ponder.catOP
                  1510·
                  18 hours ago

                  I am not typing here in the hopes that they will fix it. I am typing here to communicate to other users what’s up with it. Whether or not to fix it is up to them. You’re welcome to your opinion.

                  • fishos@lemmy.worldEnglish
                    911·
                    18 hours ago

                    Bullshit. In another comment you literally complain about them posting comments(3 communist comments I think you said?) and not fixing this because in your words it should take less time to just fix it. You also say that their response(or lack of) to this specific post is interesting to you as proof of their inner motivations.

                    Furthermore, if you didn’t want them to fix it, then tagging them is only to bully them.

                    You’re so full of shit you can’t even keep it straight since you posted this an hour ago.

          • dastanktal@lemmy.ml
            309·
            18 hours ago

            It literally takes a minute to make a GitHub issue and you could have linked it here for your conversation. Probably would have helped the admins of ml change things. Especially considering that things like this get overlooked all the time in open source projects.

          • n3m37h@sh.itjust.works
            2515·
            18 hours ago

            And look at how much time you wasted defending your position to not post a github issue. Fucking unbelievable that you will publicly complain but NOT bring the issue up with the devs

            Fuck people like you

    • southsamurai@sh.itjust.works
      74·
      16 hours ago

      Just for the hell of it, I don’t know about OP, but I don’t even know how to.

      I went to the relevant linked section and couldn’t find a way to raise an issue directly. I’m going to try again, and if I succeed I’ll return here and make a top level comment for anyone scrolling by and wondering. I’ve never tried to do this before, so I’ll see how it goes.

      Edit: aha!

      You have to go to the issues page and select the “new issue” button, where you’ll be directed to log in to github.

      Which, for me, means I’m finished trying. No desire whatsoever to have another login for a one time thing. If I ever manage to learn enough code to do anything like this often enough, I’d do it, but it just isn’t worth it to satisfy my curiosity about the process.

      • Azzu@lemmy.dbzer0.com
        34·
        4 hours ago

        OP managed to find the bug. He knows how to fix it. Obviously he’d know how to make an issue about it, and probably even know how to contribute his fix that he already made in the official way to the open source project.

        You do not possess these skills so obviously you’re not the one who should make the issue.

        Yet he decided to somehow create this public post highlighting something that could be sketchy to try to publicly discredit the devs. There is no other reason to do it like this.

        • BroBot9000@lemmy.worldEnglish
          3·
          2 hours ago

          If it could be sketchy the public should know about it.

          The people that didn’t change their password after it getting leaked should also know about it and update their info.

          Whistleblowers like Op are doing the right thing. No blind faith in some dear leader.