SorteKanin @ SorteKanin @feddit.dk

Posts

15

Comments

1,655

Joined

2 yr. ago

That would be a way to do it, but it seems needlessly wasteful as it requires an additional HTTP request. But yea, that could be a way.

Pulling the data when a user requests a post/comment (with a cooldown/cache for popular posts) isn’t any more or less scalable

That would definitely be less scalable. That would entail pulling every single time a user views a post or comment. That's simply not feasible. There are far, far more views of content than there are posts, comments and votes.

Also what about stuff that isn't seen? What if nobody is logged in or nobody looks at the New sort? You need the votes before you even show the user anything, otherwise you can't sort the votes.

But if it has to be a push model, why doesn’t feddit.dk push the votes it knows about along with the rest of the data?

This has been explained elsewhere in the thread, see https://feddit.dk/post/7628338/10255563

the fact that mastodon and Lemmy use the same protocol is annoying

Well I think this is still better than the alternative, which is no interaction between them at all 😅. The protocol is what binds different Lemmy instances together too.

There were communities using this blatant security issue for non-malicious purposes (see https://endlesstalk.org/c/tails@lemmon.website, which re-wrote posts from people (which is only possible if the posts weren’t validated, or at least re-fetched from their origins)).

The reason this is possible is because of the way Lemmy federates activities.

When you on instance A post, comment or upvote something in a community on instance B, your instance sends the activity to instance B, regardless of the instance of who you're replying to or upvoting. It is sent to the community, and the community then shares it out to all other instances. AFAIK, lemmy does nothing to verify that received content from a community actually comes from the original instance. See here for one of the main Lemmy devs commenting on this..

Is this secure or reasonable? I'm honestly not sure but it doesn't feel great. Signatures on objects could fix this I think.

Unfortunately it is not that easy. It's not Mastodon that places the signature like that, it is the ActivityPub protocol. Lemmy, Mastodon and all other ActivityPub instances do it this way. You'd need to extend or change the protocol to somehow fix this. That is not easy and not something that will be done overnight.

All interactions are recived by the instance hosting the community

Exactly - but Mastodon doesn't do it like that. Mastodon sends the upvote directly to the instance with the user receiving the Like. So the community never sees the Like at all. So this is Mastodon not supporting groups, it is not a bug in Lemmy.

Your instance doesn't pull the upvotes from other instances. That would not be scalable. How would it know when to pull again, to see new upvotes? When would it stop pulling periodically? Never? And you'd have to do this for every single post and comment everywhere.

No, instead ActivityPub uses a push mechanism here. So any new activity is pushed out to the ones that are deemed relevant to know about the activity. Any other instances are unaware.

Group support would fix it for Lemmy, but it doesn't fully fix the problem as I see it with this way of sharing the Like objects. For toots outside of any group (in Lemmy terms: comments/posts outside a community), presumably it would continue to function like this, i.e. only the receiving instance is aware of the Like. This still encourages centralization if you ask me.

I don't think there is anything the Lemmy devs can do to fix this. The ball is in Mastodon's court, so to speak.

Then why, if I view the post on feddit.dk, does it not show me those likes/votes? What is dependent on my instance?

I don't understand what you mean, how does it now show you the likes? If you see the two comments here and here as I linked above, you can see the high upvote count. Almost all the upvotes are from Mastodon instances.

The upvotes do not appear if you view the comments from another instance, like here and here, because those instances did not receive the Like.

The Mastodon devs are aware of how their Like federation works and considers it a feature, not a bug.

Mastodon explicitly discourages support of LD signatures. It seems it has kind of landed in what I would call "specification hell".

at the minimum the followers of that user should be notified about that like…

I agree - the problem is that the instance that sends the Like (on instance A) doesn't know the followers of the user receiving the Like (on instance B), because followers are not (necessarily) public. So it doesn't know which instances to send the Like to. And instance B can't forward the Like to the followers itself, because the signatures in ActivityPub are not made for that, as I explained elsewhere in the thread.

Feddit.dk and any other Lemmy instances do show Mastodon upvotes. It's not Feddit.dk-specific, it just so happens that Feddit.dk has a couple of comments that went super popular on Mastodon. It's just random. Maybe try reading the post again, it sounds like you misunderstood something.

There's not such a thing as a "Lemmy style" upvote. It's all Like objects under the hood shared via the ActivityPub protocol. But ActivityPub has no mechanism for sharing an activity further than the original receiver (i.e. forwarding from A to B to C and so on). It's really only made for direct sharing from A to B.

still I wonder whether the lemmy system of federating all upvotes would scale well if the number of users grows to that of mastodon and beyond ?

It's a good question and really we just don't know yet I think. It's very hard to predict performance of complex systems. The only way to know, is basically by measuring, and the only way to do that is if we actually had that amount of users.

Could there be some intermediate compromise solution (e.g. federate batches of 100 likes)?

Unfortunately ActivityPub has no way to "batch" activities like this.

This is in fact how Feddit.dk knows that the Like came from mastodon.social at first. The problem is that the signature is a HTTP Signature which is only associated with the HTTP request that mastodon.social makes to Feddit.dk. It is not on the Like object itself. Thus that signature can't be transferred to the Like object if Feddit.dk wanted to share it further.

No, but how could it? Let's say Feddit.dk receives a Like from mastodon.social. Then Feddit.dk would have to tell the other instances that mastodon.social sent that Like. But how can Feddit.dk prove that the Like actually did come from mastodon.social, i.e. it is not just a fabricated Like that Feddit.dk made up and hid by pretending it came from mastodon.social. That's not easy.

You should petition your admins to defederate or move to an instance that does so.

Lemm.ee basically doesn't defederate anything. You should probably go to an instance that defederates those instances.