PhilipTheBucket @ PhilipTheBucket @ponder.cat

Posts

595

Comments

1,799

Joined

12 mo. ago

Moderating

---

The live docs at:

https://join-lemmy.org/docs/administration/install_docker.html

Link to:

https://raw.githubusercontent.com/LemmyNet/lemmy-docs/main/assets/docker-compose.yml

Which is what needs to be updated.

It's present in the link on:

https://join-lemmy.org/docs/administration/install_docker.html

Which refers people to download:

https://raw.githubusercontent.com/LemmyNet/lemmy-docs/main/assets/docker-compose.yml

What you're linking to is not what the live docs link to. I don't know what main/docker is for, but the docs link to main/assets, not there.

A lot of people, I think, would appreciate knowing if there's indication that their software might be doing something sketchy to them. You might feel that my appropriate response about it should be to shut up, shut up, shut up!, but I don't think I will. When it comes to issues of trust and security in software, it's usually not that good an idea to just silently fix it and not talk about it so nobody's feelings will be hurt and no one will feel bullied.

I've posted the patch and recommended that someone post a PR about it. I do think it would be good if it gets fixed. If the Lemmy devs claim that me being a twat is a good excuse for just leaving it as is, then like I said, that's a super interesting turn of events.

https://github.com/LemmyNet/lemmy-docs/blob/main/assets/docker-compose.yml

Yeah, don't they realize they could have just spent that time productively by making a pull request, instead?

The relevant repo is:

https://github.com/LemmyNet/lemmy-docs

If you wanted to submit a PR, I think that would be a good idea. I've posted the patch elsewhere in the comments.

    
--- a/docker-compose.yml	2025-07-12 00:17:33.050443300 +0000
+++ b/docker-compose.yml	2025-07-12 00:18:21.038972526 +0000
@@ -37,7 +37,7 @@
     image: dessalines/lemmy-ui:0.19.12
     environment:
       - LEMMY_UI_LEMMY_INTERNAL_HOST=lemmy:8536
-      - LEMMY_UI_LEMMY_EXTERNAL_HOST=lemmy.ml
+      - LEMMY_UI_LEMMY_EXTERNAL_HOST={{ domain }}
       - LEMMY_UI_HTTPS=true
     volumes:
       - ./volumes/lemmy-ui/extra_themes:/app/extra_themes

  

Edit: From https://github.com/LemmyNet/lemmy-docs/tree/main/assets

    
--- a/docker-compose.yml	2025-07-12 00:17:33.050443300 +0000
+++ b/docker-compose.yml	2025-07-12 00:18:21.038972526 +0000
@@ -37,7 +37,7 @@
     image: dessalines/lemmy-ui:0.19.12
     environment:
       - LEMMY_UI_LEMMY_INTERNAL_HOST=lemmy:8536
-      - LEMMY_UI_LEMMY_EXTERNAL_HOST=lemmy.ml
+      - LEMMY_UI_LEMMY_EXTERNAL_HOST={{ domain }}
       - LEMMY_UI_HTTPS=true
     volumes:
       - ./volumes/lemmy-ui/extra_themes:/app/extra_themes

  

Edit: Just to be clear, this applies to https://github.com/LemmyNet/lemmy-docs/tree/main/assets which is linked to from https://join-lemmy.org/docs/administration/install_docker.html

I am not typing here in the hopes that they will fix it. I am typing here to communicate to other users what's up with it. Whether or not to fix it is up to them. You're welcome to your opinion.

I think it would be very rare that people would put two and two together to realize that their password had been "stolen" by this event. Like I say, I have no real idea even if it is being stolen, just that it would be trivial for .ml to decide that they wanted to start keeping a little cache of everyone's admin email addresses and passwords.

Like someone else said, if it was anyplace other than lemmy.ml, I wouldn't give it a second thought, it would just be "whoa you gotta fix this." I sort of agree with you that there's not even really any strong indication that there's anything all that bad they could do with it. It's only because lemmy.ml moderation actions already have such a pattern of authoritarian dishonesty that I get to any degree paranoid or alarmed about it.

Within the last hour, dessalines has posted three things about communism that are longer than the fix for this issue.

Edit: Everyone's got the right to do whatever they want to do. I'm not trying to accuse anyone of not spending enough time making software for me, just because occasionally they might want to do some other things with their life. The thing I'm trying to emphasize with this is how short the fix is. It's seconds. It's not one of those "but you have to recompile, what about this other branch" or anything like that. It's literally a fairly critical security fix with 100% of the fix in a one-line change to a documentation file.

Did you use a different admin password when you did the new setup after fixing it? If not, I think you should change your admin password.

The longer I look at it the more suspicious I am of it, to be honest. I'm just kind of generally a paranoid and accusatory person, so take that into account, but... the files are pretty carefully set up. They have variable substitutions for everything, including a bunch of places where there's a template substitution to change a string around when setting cache keys so that it'll still work out-of-the-box right away, even in complex configurations like multiple domains on a single server. It all works out-of-the-box right away, they've clearly been attentive to making sure it's all set up right and keeps working cleanly as things have been evolving forward. Except for that one place.

I cannot imagine any responsible dev who would read this notification and say anything other than "Oh shit, yeah, that's really bad," and fix it on the spot before they continue with whatever they had visited Lemmy to do. Like I say, it's relevant that it takes literally seconds to grasp the issue and fix it.

I don't fully disagree with you, I get it, github issues is where issues with the software belong. I wasn't trying to be a jerk by suggesting that you do it. Anyone from these comments is welcome to. But, also, I am sort of curious about what their reaction will be. Finding out that kind of thing is interesting to me.

If they are actively uninterested in fixing it, however they get made aware of it, then that's really interesting.

It would literally take me longer to make the github issue than it would take them to fix it, by quite a big margin. You can make one for it, if you still feel super-strongly about it though.

I think it should be more public knowledge than just people who peruse the github issues. Also, it's so trivial to fix that it will save them some time if they don't have to close the issue after they spend literally 10-15 seconds fixing it.

What if the emotional resonance of specific, concrete actions is precisely what builds the coalition necessary for systemic change?

People familiar with Paul Farmer said that his involvement with individual direct patients on a constant and ongoing basis was a big part of why he could spend his other time on globe-spanning improvements to the global health system and have it have some kind of real positive impact.

They might actually just care about the moral issues involved (or at least be worried enough about pushback to fake it).

They’re going to make a river of money regardless, and so maybe it’s not worth taking a reputational hit or risking some kind of legislation, just to preserve the 0.00000001% of their revenue stream that is deepfake porn based.

Tito smoking Cuban cigars in the White House while sitting down with Nixon is also hilarious.

Nixon told him, “Mr. President, we don’t smoke in the White House.”

Tito laughed and said, “Lucky you!” and finished his cigar and no one attempted again to make him stop.

Older readers might be interested in this one.

Un called for