649
submitted 1 day ago* (last edited 1 day ago) by [email protected] to c/[email protected]

So if you do the Docker setup, obeying the instructions and substituting everything that needs to get substituted, but don't proofread the files in detail and so miss that line 40 of docker-compose.yml doesn't have the variable {{domain}} like in every other location you need to write your domain, but instead just says LEMMY_UI_LEMMY_EXTERNAL_HOST=lemmy.ml and so you fail to change it away from lemmy.ml... then, everything will work, until you type in your admin password for the first time, at which point your browser will send a request to lemmy.ml which includes your admin username, your email address, and the admin password you're trying to set. And, also, of course your IP address wherever you are sitting and setting up the server.

I have no reason at all to think the Lemmy devs have set their server up to log this information when it comes in. nginx will throw it away by default, of course, but it would be easy for them to have it save it instead, if they wanted to. And my guess is most people won't use a different admin password once they figure out why creating their admin user isn't working and fix it.

@[email protected] @[email protected] I think you should fix the docker-compose.yml file not to do this.

Edit: Just to increase the information-to-rudeness ratio of my post. The docs are at:

https://join-lemmy.org/docs/administration/install_docker.html

And they recommend using wget to download:

https://raw.githubusercontent.com/LemmyNet/lemmy-docs/main/assets/docker-compose.yml

Which is pulled from:

https://github.com/LemmyNet/lemmy-docs/tree/main/assets

Which is what has the wrong line 40 in it.

Edit: They fixed it. Good stuff.

you are viewing a single comment's thread
view the rest of the comments
[-] [email protected] 112 points 1 day ago

That’s so on-character for .ml

[-] [email protected] 77 points 1 day ago

The longer I look at it the more suspicious I am of it, to be honest. I'm just kind of generally a paranoid and accusatory person, so take that into account, but... the files are pretty carefully set up. They have variable substitutions for everything, including a bunch of places where there's a template substitution to change a string around when setting cache keys so that it'll still work out-of-the-box right away, even in complex configurations like multiple domains on a single server. It all works out-of-the-box right away, they've clearly been attentive to making sure it's all set up right and keeps working cleanly as things have been evolving forward. Except for that one place.

[-] [email protected] 14 points 1 day ago

this is how those Marxist Leninst nation state actors work

[-] [email protected] 42 points 1 day ago

Im loving that there are ml users coming in and defending it lol

[-] [email protected] 14 points 1 day ago

Yeah, don't they realize they could have just spent that time productively by making a pull request, instead?

[-] [email protected] 43 points 1 day ago

Honestly, you found the fault. I agree that you should put the request in.

[-] [email protected] 16 points 1 day ago

I mean probably I should. There are a bunch of people accusing me of being dick headed and petty and they're not completely wrong. Honestly, I just don't feel like helping the Lemmy devs. Dessalines, at least, is totally unapologetic about being a dickhead to people he has power over. That puts me in a mindset where, mostly, I want to talk to other people about potential harm he's in a position to do, and not really in a mindset where I want to do even a small amount of extra work on his behalf.

I'm going to tell other people that he's in a position to take their passwords. If he wants to see that and put himself not in that position anymore? Great, I think he should. If he gets his feelings hurt because I'm not being super friendly about it? Well.. okay. I'm not trying to be malicious about it or do anything other than clearly communicate the problem. But it seems like the lemmy.ml "in charge" crew in general has a lot of a mentality that's kind of like, "Well, I'm in charge, and you're not, so fuck what you think and fuck your rights. Ban." (or whatever). The way I operate is that really makes me not want to be extra friendly or courteous to people. I used to have a regular donation to Lemmy development set up, I used to take it seriously the idea of getting involved in contributing to the code, and then I observed how they operate, and ... like I say I'm mostly talking to the other people involved who I think should be aware of this. If the devs want to react, fix it, or get involved in the conversation, then sure, sounds good.

The fix is in the comments below, if someone else wants to contribute it and do the very small amount of work of getting it in.

[-] [email protected] 18 points 1 day ago* (last edited 1 day ago)

It sounds like a pull request would have been much more helpful, with much less effort. But you want it fixed less than you want it publicized, so you chose this option (even though you could have done both).

In other words, you cared less about the people impacted by this problem, and more about your own opportunity to put the author(s) on blast like this.

And you care about that opportunity so much, that it's even worth it to show this dark side of yourself publicly.

Am I understanding that right?

[-] [email protected] 9 points 1 day ago

Let's not get carried away. Shared software systems are about more than the software. If you're looking only at the software, and that was literally 100% of what is important here and nothing else, then yes, you're right.

But you want it fixed less than you want it publicized

100%. Yes. Correct. I also want it fixed, but that's completely trivial, with or without the pull request.

[-] [email protected] 8 points 1 day ago

I think there you hit the nail on the head! Just the fact that it is in there, whether intentionally or not is something that warrants warning people about. So that in the case someone goes to set up a server, they at least know that recently there was this rather severe risk of unnecessary credential exposure, again no matter if it was intentional or not.

However, I will say that I think I would have also opened the PR, not to help the original dev necessarily, but helping those that might come to use the software later.

[-] [email protected] 4 points 1 day ago

Let's not get carried away.

...

Right...

load more comments (5 replies)
[-] [email protected] 3 points 1 day ago

Regardless of all that drama, you could have spent five minutes at anytime in the last two hours writing significantly less than you have, and putting the the request in.

You could have been done doing it in-between replies. Just saying.

load more comments (2 replies)
[-] [email protected] 18 points 1 day ago

Why are you assuming malice when this is probably just a mistake/oversight?

[-] [email protected] 34 points 1 day ago

Because of the way Dessalines and Nutomic consistently act?

Watch. They won't apologize or admit wrongdoing here. They never do.

[-] [email protected] 23 points 1 day ago

They did patch it just now.

[-] [email protected] 11 points 1 day ago

I wonder what their answer for this will be in the coming days.

[-] [email protected] 12 points 21 hours ago

They fixed it.

[-] [email protected] 12 points 1 day ago

Everyone here will be ml banned for five months.

[-] [email protected] 10 points 1 day ago

And nothing of value would be lost.

load more comments (1 replies)
[-] [email protected] 24 points 1 day ago

Because “when someone shows you who they are, believe them the first time .”

[-] [email protected] 12 points 1 day ago
[-] [email protected] 10 points 1 day ago

This issue here is very different to the xz backdoor.
The xz backdoor was well obfuscated, planned out, and inserted by another actor.

This here is easy to notice, can reasonably be explained as a mistake, and can only benefit the og main devs of lemmy.

A "huh this is odd, also change yalls admin passwords" is appropriate here. Even if we got further indication it was malicious, it would still be far less crazy than the xz backdoor.

load more comments (1 replies)
[-] [email protected] 9 points 1 day ago* (last edited 1 day ago)

Uh huh, just like how the instance/user block being horribly implemented to where it's just a barely functional mute is just a (4 year) "oversight".

Funny how their "oversights" just so happen to have benefits to their efforts to push authoritarianism

https://lemmy.world/post/29072279

[-] [email protected] 1 points 1 day ago
[-] [email protected] -5 points 1 day ago* (last edited 1 day ago)

They are even more fanatically anti - ml than their beloved ww2 nazi examples.
You can feel them foaming at the mouth.

[-] [email protected] 37 points 1 day ago

Was just gonna say. Exactly what some authoritarian boot lickers would do.

[-] [email protected] 52 points 1 day ago

“Of course the Central Committee would have access to your instance. Why is that a problem? Are you doing something counter-revolutionary?!”

load more comments (3 replies)
this post was submitted on 11 Jul 2025
649 points (95.6% liked)

You Should Know

39738 readers
526 users here now

YSK - for all the things that can make your life easier!

The rules for posting and commenting, besides the rules defined here for lemmy.world, are as follows:

Rules (interactive)


Rule 1- All posts must begin with YSK.

All posts must begin with YSK. If you're a Mastodon user, then include YSK after @youshouldknow. This is a community to share tips and tricks that will help you improve your life.



Rule 2- Your post body text must include the reason "Why" YSK:

**In your post's text body, you must include the reason "Why" YSK: It’s helpful for readability, and informs readers about the importance of the content. **



Rule 3- Do not seek mental, medical and professional help here.

Do not seek mental, medical and professional help here. Breaking this rule will not get you or your post removed, but it will put you at risk, and possibly in danger.



Rule 4- No self promotion or upvote-farming of any kind.

That's it.



Rule 5- No baiting or sealioning or promoting an agenda.

Posts and comments which, instead of being of an innocuous nature, are specifically intended (based on reports and in the opinion of our crack moderation team) to bait users into ideological wars on charged political topics will be removed and the authors warned - or banned - depending on severity.



Rule 6- Regarding non-YSK posts.

Provided it is about the community itself, you may post non-YSK posts using the [META] tag on your post title.



Rule 7- You can't harass or disturb other members.

If you harass or discriminate against any individual member, you will be removed.

If you are a member, sympathizer or a resemblant of a movement that is known to largely hate, mock, discriminate against, and/or want to take lives of a group of people and you were provably vocal about your hate, then you will be banned on sight.

For further explanation, clarification and feedback about this rule, you may follow this link.



Rule 8- All comments should try to stay relevant to their parent content.



Rule 9- Reposts from other platforms are not allowed.

Let everyone have their own content.



Rule 10- The majority of bots aren't allowed to participate here.

Unless included in our Whitelist for Bots, your bot will not be allowed to participate in this community. To have your bot whitelisted, please contact the moderators for a short review.



Rule 11- Posts must actually be true: Disiniformation, trolling, and being misleading will not be tolerated. Repeated or egregious attempts will earn you a ban. This also applies to filing reports: If you continually file false reports YOU WILL BE BANNED! We can see who reports what, and shenanigans will not be tolerated.

If you file a report, include what specific rule is being violated and how.



Partnered Communities:

You can view our partnered communities list by following this link. To partner with our community and be included, you are free to message the moderators or comment on a pinned post.

Community Moderation

For inquiry on becoming a moderator of this community, you may comment on the pinned post of the time, or simply shoot a message to the current moderators.

Credits

Our icon(masterpiece) was made by @clen15!

founded 2 years ago
MODERATORS