So if you do the Docker setup, obeying the instructions and substituting everything that needs to get substituted, but don’t proofread the files in detail and so miss that line 40 of docker-compose.yml doesn’t have the variable {{domain}} like in every other location you need to write your domain, but instead just says LEMMY_UI_LEMMY_EXTERNAL_HOST=lemmy.ml and so you fail to change it away from lemmy.ml… then, everything will work, until you type in your admin password for the first time, at which point your browser will send a request to lemmy.ml which includes your admin username, your email address, and the admin password you’re trying to set. And, also, of course your IP address wherever you are sitting and setting up the server.
I have no reason at all to think the Lemmy devs have set their server up to log this information when it comes in. nginx will throw it away by default, of course, but it would be easy for them to have it save it instead, if they wanted to. And my guess is most people won’t use a different admin password once they figure out why creating their admin user isn’t working and fix it.
@dessalines@lemmy.ml @nutomic@lemmy.ml I think you should fix the docker-compose.yml file not to do this.
Edit: Just to increase the information-to-rudeness ratio of my post. The docs are at:
https://join-lemmy.org/docs/administration/install_docker.html
And they recommend using wget to download:
https://raw.githubusercontent.com/LemmyNet/lemmy-docs/main/assets/docker-compose.yml
Which is pulled from:
https://github.com/LemmyNet/lemmy-docs/tree/main/assets
Which is what has the wrong line 40 in it.
Edit: They fixed it. Good stuff.
Why are you assuming malice when this is probably just a mistake/oversight?
Because of the way Dessalines and Nutomic consistently act?
Watch. They won’t apologize or admit wrongdoing here. They never do.
They did patch it just now.
I wonder what their answer for this will be in the coming days.
They fixed it.
Everyone here will be ml banned for five months.
And nothing of value would be lost.
Just the normal entropy of things
of course they will. this is still software
Because “when someone shows you who they are, believe them the first time .”
All I see here is a mistake. If that’s unforgivable to you then so be it.
If it wasn’t .ml I would not assume malice
Lol you’re on .world, what are you on about
I’m only on .world because Kbin isn’t around anymore.
As someone pointed out, as the admin of .ml is also the main lemmy developer, he could have obscured something like this way better in the code directly.
https://en.wikipedia.org/wiki/XZ_Utils_backdoor
This issue here is very different to the xz backdoor.
The xz backdoor was well obfuscated, planned out, and inserted by another actor.
This here is easy to notice, can reasonably be explained as a mistake, and can only benefit the og main devs of lemmy.
A “huh this is odd, also change yalls admin passwords” is appropriate here. Even if we got further indication it was malicious, it would still be far less crazy than the xz backdoor.
Both a strength and weakness of FOSS. There is also the solar winds hack for a proprietary analog in case anyone is curious.
Uh huh, just like how the instance/user block being horribly implemented to where it’s just a barely functional mute is just a (4 year) “oversight”.
Funny how their “oversights” just so happen to have benefits to their efforts to push authoritarianism
https://lemmy.world/post/29072279