I typed a reply about how bad actors will use reasonable arguments to get their way, so we'd need genuine evidence
my comment didn't send properly tho and i got an error message, so if you see me commenting twice, sorry
Magazine dedicated to discussions about the kbin itself. Provide feedback, ask questions, suggest improvements, and engage in conversations related to the platform organization, policies, features, and community dynamics. ---- * Roadmap 2023 * m/kbinDevlog * m/kbinDesign
I typed a reply about how bad actors will use reasonable arguments to get their way, so we'd need genuine evidence
my comment didn't send properly tho and i got an error message, so if you see me commenting twice, sorry
I mean, he's developing and administrating what's essentially a Reddit clone all on his own.
I mean, he’s developing and administrating what’s essentially a Reddit clone all on his own.
And doing a damn fine job.
The question was if you saw similarity in the pressure to add maintainers to the project with the social engineering that lead to xz getting backdoored.
No, he's not. Kbin was recently down for a week. Then voting and comment counts broke. Before all that I had to get into the habit of reloading the page I was on every time I wanted to vote on something. It's a terrible user experience.
That's not to say I don't like him or he's not a good dev or whatever. Just that people have limits and it sure seems like he's bumping against his.
I think Ernest is doing a fine job. [shrug] Especially when you consider none of us are being charged to be here.
Could we please stop talking about if Ernest is burning out though? That was never the question of this thread.
The question was if the comments reminded you of the social engineering that engendered the xz backdoor.
I didn't say anything about burning out. A job can be too big or difficult for a person without them burning out.
Ultimately, it's just a question of results. If kbin.social is working poorly but other alternatives are doing good, I move on. That works well in the Fediverse especially, as evidenced that I am commenting from fedia.io.
Likewise I also moved on from Kbin. Obviously we have no power over that project, that belongs solely to the person who created it, but we do control our own actions. e.g. I used to sing the praises of the Fediverse and go out of my way to not equate it with Lemmy - always saying like Lemmy/Kbin. Now I still do the former but I actively tell people that Kbin might not be a good match for them. Ernest has kept it as alpha version software - which is fine, there is a need for such things, and it will become great, someday... hopefully. But today is not that day, and that is super good for people to know, e.g. that they don't have to leave the Fediverse entirely to get a more functional experience, just Kbin.social.
fedia.io is running mbin, which is a fork of kbin. It seems to be doing well, so you could switch to Lemmy/mbin if you don't want to include kbin any more but still want to show alternate clients are possible.
Thank you for the suggestion. So far I've just taken to saying "Fediverse", perhaps I'm holding out hope for still more clients in the future:-)? Also it's shorter than Lemmy/Kbin/Mbin:-).
Piefed also looks promising.
Piefed also looks promising.
That one interoperable with Mastodon like Kbin is?
It appears focused on being compatible with lemmy, but I haven't asked the dev what their plans are for mastodon integration.
They do have an interesting image-viewing mode though, which is pretty cool. :)
Nope, and it doesn't seem to be on the agenda either. Kbin/Mbin is still the only platform(s) to try to bridge the two.
Kbin/Mbin is still the only platform(s) to try to bridge the two.
Moreover it seems to have better discoverability than mastodon Mastodon. I can type a word or phrase in the search bar on kbin and find "Mastodon" posts whereas I'm stuck viewing whatever is timeline trending on Mastodon proper unless I follow someone or can figure out whatever hashtag person might have affixed to their post.
Even with kbin being down a good 1/5 of the time it remains the best ActivityPub viewing experience (in my).
Exactly! More and more products can be added - like now we are hearing about Fedi-wikis (from the original Lemmy developer iirc), and ofc there will be Threads (whether we dread it or not!), so the Fediverse (iirc, defined basically as anything that uses the ActivityPub protocol?) is growing up, spurred onwards by the ongoing demise of Reddit even if started long before. :-)
I saw the term "threadiverse" being used to group all Reddit alternatives interoperable with the Fediverse.
I saw the term "threadiverse" being used to group all Reddit alternatives interoperable with the Fediverse.
Yeah, but Meta's fucked up the application of anything containing "thread".
I didn't say anything about burning out.
Fairplay, but that then's two step removed from what this thread is about.
And he's burning out. And more maintainers would be even better.
Yes, it's similar, but every one-man project with real-world use is similar in that regard.
And he’s burning out.
I have seen no evidence of that. Also not the point of this thread.
I’m not going to pick through his last year’s posts and make a diagnosis, but if you’ve seen no evidence of that, I think you’re wilfully ignoring the signs.
I’m not going to pick through his last year’s posts and make a diagnosis, but if you’ve seen no evidence of that, I think you’re wilfully ignoring the signs.
Ok, I'll continue "ignoring" evidence you can't even describe ("He talked somewhere about..."), much less cite.
For all we know his frequent absence is down to a great work-life balance on his part.
Irrespective this thread is not about who is or is not burnt out, it's about how posts like your are what enabled the xz backdoor to happen.
Irrespective this thread is not about who is or is not burnt out, it's about how posts like your are what enabled the xz backdoor to happen.
I thin you need to chill a bit. Open source has a long illustrious history of people cooperating to build software and submit patches and enhancements which are then scrutinized by project leads. Yes, occasionally bad actors use this model to try and slip through exploits, but you don't throw out one of the strengths of open source because of that. You make sure mechanisms are in palce to allow robust scrutiny.
And no, I'm absolutely not going go through someone's post history and quote bits that show someone is frazzled. I expect you to have enough empathy
I thin you need to chill a bit.
I'm not the one calling people willfully ignorant about things a thread isn't even about.
one of the strengths of open source because of that.
I don't think being a jerk is a strength
I used it as a support to my argument, so, it's relevant. No evidence, you say... I don't want to talk too much about someone's health issue. Just believe what you believe. I don't think you can change your view through online discussion.
I used it as a support to my argument
What argument? I'm not sure what you position is.
He is doing an excellent job, and I do not mean to denigrate his work when I say the task is beyond any one person, no matter how talented and dedicated. Look at the issues that went on recently while Ernest was indisposed, and we had months of federation issues that led to communities migrating away and Kbin.social getting defederated by other instances.
This project is getting too large for any one person, and it's far too important to have one point of failure. And even someone as great as Ernest needs an understudy.
Yes, there is some similarity. You're not wrong.
However, it's much more likely to be due to the common experience of solo devs whose projects blow up than it is about bad actors on kbin.
If you're so inclined, you can always check the profiles of those who were pushing for it and particularly those who were volunteering; the boehs.org link should supply some helpful red flags to look for. Ernest would be wise to check IP activity and even ask for IRL credentials of those he would consider giving any real level of access to. Beyond that, it's firmly in the realm of "mildly interesting."
It's not the boeh.org link, but here is a similar timeline of events: https://research.swtch.com/xz-timeline
I don't know what this xz thing is about, first time hearing it. But people saying he should get more help are trying to help him, not having malicious plans like installing backdoors or whatever.
I do think people should ask less for more maintainers — the project is already opensource, so it's up to maintainers to join, not him to seek them out. But he should still get some help with managing the instance. Pauses in development are fine imo, but the instance shouldn't be swarmed with spam and account deletion requests lost in limbo just because ernest got sick or something, which can happen with the best work life balances.
I don't know what this xz thing is about, first time hearing it.
Someone pressured the maintainer of a compression tool used in a bunch of open source software to hand over the keys by citing burnout and offering to "help" then spent ~3 years slowly adding tiny changes that combined to form a backdoor in SSH that nearly compromised the entire internet or something.
It was only barely caught by accident because it made some thing some guy was doing that wasn't even related a fraction of a second slower.
Been all over the FOSSiverse for days, and the social engineering that was used on the xz maintainer reminded me personally of similar pressure certain people have applied to Ernest in most threads about kbin performance I have seen.
The reason it worked is because sometimes burnout is a real problem, and getting extra help is a real solution. The fact that this was exploited in one situation doesn't mean that all of a sudden there isn't any real burnout or genuine offers to help any more.
A project can sometimes benefit from help even if there is no burnout. People have limits.
xz was successful because it was believable, but a malicious actor would more likely target libraries that are depended on by many, like xz.
its open source. it can and has been forked. he can do what he likes. The call for moderation made sense but code is different. Granted I think he should bring in help for himself but that is for him to decide.
Erm, I thought kbin was open source? Can't anybody fork it if they have a problem with it? This sounds like a whiny nothingburger.
Erm, I thought kbin was open source? Can’t anybody fork it if they have a problem with it? This sounds like a whiny nothingburger.
They can. That's what mbin is.
That's part of why I don't get why people always pressure Ernest to add maintainers.
I said that already, mbin might be good but I didn't like the advertisement.
I said that already, mbin might be good but I didn't like the advertisement.
I'm not quite sure what your position is. I am by no means an mbin booster. In fact I find some of the people pushing mbin over kbin (in lieu addition too) jerks about it.
This whole thread has been about the similarities I noticed between comments people made about/to Ernest previously and the sort of comments we later learned led to the xz backdoor.
When I started to read breakdowns about the social engineering behind the xz backdoor I was like, "Waaaaitaminute, I've seen that sort of talk before." I found it notable to point out the similarity and maybe poke around at it.
People decided to use the thread (to my excessive chagrin) to talk shit about kbin and rehash the exact same pressures I was attempting to analyze.
I am by no means an mbin booster.
I didn't mean to say you were, mine was just a side remark.
When I started to read breakdowns about the social engineering behind the xz backdoor I was like, "Waaaaitaminute, I've seen that sort of talk before." I found it notable to point out the similarity and maybe poke around at it.
People decided to use the thread (to my excessive chagrin) to talk shit about kbin and rehash the exact same pressures I was attempting to analyze.
It's a shame, because I noticed similar patterns was looking forward to some good discussion about it here. Alas...
I switched away because kbin seemed stuck and unresponsive to users and uncommunicative. Changes that were made seemed to be ones the Ernest wanted to and not addressing issues that people were feeling in some cases.
I am a software developer for a living and I can tell you that you can both have more people contributing and be secure. Most projects do not have bad actors who successfully poison things. When someone does, they get caught in the review process. If this is your concern, then prove that Ernest himself isn't a bad actor? I don't believe he is, but being one person in control would certainly make that easy.
This is an absurd thread. By collecting together critical comments, and picking back up a loud fight that previously died down over a week ago, you are absolutely adding to any pressure towards our lad in charge.
Touch grass
Touch grass
Suck ya mudda
Honestly, no. Kbin has been barely usable for a long time and I'm starting to consider giving up.
I have a notification waiting for me, but I get a 404 on the page to check it out. /sub also didn't work yesterday. I spent a few minutes trying to edit a comment just an hour ago.
Nothing against Ernest, a page of this size is hard to manage alone or almost alone, but it's still a pain as a user.
I have a notification waiting for me, but I get a 404 on the page to check it out.
Append ?p=1
at the end of the URL; that sometimes fixes it.
Next, relax.
Ernest Adds More Maintainers to Kbin is one of my favorite 80s comedies