Skip Navigation

InitialsDiceBearhttps://github.com/dicebear/dicebearhttps://creativecommons.org/publicdomain/zero/1.0/„Initials” (https://github.com/dicebear/dicebear) by „DiceBear”, licensed under „CC0 1.0” (https://creativecommons.org/publicdomain/zero/1.0/)P

PhilipTheBucket

@ PhilipTheBucket @ponder.cat

Posts
621
Comments
2066
Joined
2 yr. ago

  • YSK: If you set up a Lemmy instance, and follow the Docker setup instructions to the letter, it will send lemmy.ml your admin password during the setup process (Edit: Not anymore, it’s fixed now)

    Jump

  • Let's not get carried away. Shared software systems are about more than the software. If you're looking only at the software, and that was literally 100% of what is important here and nothing else, then yes, you're right.

    But you want it fixed less than you want it publicized

    100%. Yes. Correct. I also want it fixed, but that's completely trivial, with or without the pull request.

  • YSK: If you set up a Lemmy instance, and follow the Docker setup instructions to the letter, it will send lemmy.ml your admin password during the setup process (Edit: Not anymore, it’s fixed now)

    Jump

  • See the edit to the post.

  • YSK: If you set up a Lemmy instance, and follow the Docker setup instructions to the letter, it will send lemmy.ml your admin password during the setup process (Edit: Not anymore, it’s fixed now)

    Jump

  • Would have been nice with a link from the start.

    Yeah, 100%. I edited the post to add more of the details.

  • YSK: If you set up a Lemmy instance, and follow the Docker setup instructions to the letter, it will send lemmy.ml your admin password during the setup process (Edit: Not anymore, it’s fixed now)

    Jump

  • I mean probably I should. There are a bunch of people accusing me of being dick headed and petty and they're not completely wrong. Honestly, I just don't feel like helping the Lemmy devs. Dessalines, at least, is totally unapologetic about being a dickhead to people he has power over. That puts me in a mindset where, mostly, I want to talk to other people about potential harm he's in a position to do, and not really in a mindset where I want to do even a small amount of extra work on his behalf.

    I'm going to tell other people that he's in a position to take their passwords. If he wants to see that and put himself not in that position anymore? Great, I think he should. If he gets his feelings hurt because I'm not being super friendly about it? Well.. okay. I'm not trying to be malicious about it or do anything other than clearly communicate the problem. But it seems like the lemmy.ml "in charge" crew in general has a lot of a mentality that's kind of like, "Well, I'm in charge, and you're not, so fuck what you think and fuck your rights. Ban." (or whatever). The way I operate is that really makes me not want to be extra friendly or courteous to people. I used to have a regular donation to Lemmy development set up, I used to take it seriously the idea of getting involved in contributing to the code, and then I observed how they operate, and ... like I say I'm mostly talking to the other people involved who I think should be aware of this. If the devs want to react, fix it, or get involved in the conversation, then sure, sounds good.

    The fix is in the comments below, if someone else wants to contribute it and do the very small amount of work of getting it in.

  • YSK: If you set up a Lemmy instance, and follow the Docker setup instructions to the letter, it will send lemmy.ml your admin password during the setup process (Edit: Not anymore, it’s fixed now)

    Jump

  • Quixote

  • YSK: If you set up a Lemmy instance, and follow the Docker setup instructions to the letter, it will send lemmy.ml your admin password during the setup process (Edit: Not anymore, it’s fixed now)

    Jump

  • YSK: If you set up a Lemmy instance, and follow the Docker setup instructions to the letter, it will send lemmy.ml your admin password during the setup process (Edit: Not anymore, it’s fixed now)

    Jump

  • YSK: If you set up a Lemmy instance, and follow the Docker setup instructions to the letter, it will send lemmy.ml your admin password during the setup process (Edit: Not anymore, it’s fixed now)

    Jump

  • A lot of people, I think, would appreciate knowing if there's indication that their software might be doing something sketchy to them. You might feel that my appropriate response about it should be to shut up, shut up, shut up!, but I don't think I will. When it comes to issues of trust and security in software, it's usually not that good an idea to just silently fix it and not talk about it so nobody's feelings will be hurt and no one will feel bullied.

    I've posted the patch and recommended that someone post a PR about it. I do think it would be good if it gets fixed. If the Lemmy devs claim that me being a twat is a good excuse for just leaving it as is, then like I said, that's a super interesting turn of events.

  • YSK: If you set up a Lemmy instance, and follow the Docker setup instructions to the letter, it will send lemmy.ml your admin password during the setup process (Edit: Not anymore, it’s fixed now)

    Jump

  • YSK: If you set up a Lemmy instance, and follow the Docker setup instructions to the letter, it will send lemmy.ml your admin password during the setup process (Edit: Not anymore, it’s fixed now)

    Jump

  • Yeah, don't they realize they could have just spent that time productively by making a pull request, instead?

  • YSK: If you set up a Lemmy instance, and follow the Docker setup instructions to the letter, it will send lemmy.ml your admin password during the setup process (Edit: Not anymore, it’s fixed now)

    Jump

  • YSK: If you set up a Lemmy instance, and follow the Docker setup instructions to the letter, it will send lemmy.ml your admin password during the setup process (Edit: Not anymore, it’s fixed now)

    Jump 
  •  
        
--- a/docker-compose.yml	2025-07-12 00:17:33.050443300 +0000
+++ b/docker-compose.yml	2025-07-12 00:18:21.038972526 +0000
@@ -37,7 +37,7 @@
     image: dessalines/lemmy-ui:0.19.12
     environment:
       - LEMMY_UI_LEMMY_INTERNAL_HOST=lemmy:8536
-      - LEMMY_UI_LEMMY_EXTERNAL_HOST=lemmy.ml
+      - LEMMY_UI_LEMMY_EXTERNAL_HOST={{ domain }}
       - LEMMY_UI_HTTPS=true
     volumes:
       - ./volumes/lemmy-ui/extra_themes:/app/extra_themes

    Edit: From https://github.com/LemmyNet/lemmy-docs/tree/main/assets

  • YSK: If you set up a Lemmy instance, and follow the Docker setup instructions to the letter, it will send lemmy.ml your admin password during the setup process (Edit: Not anymore, it’s fixed now)

    Jump 
  •  
        
--- a/docker-compose.yml	2025-07-12 00:17:33.050443300 +0000
+++ b/docker-compose.yml	2025-07-12 00:18:21.038972526 +0000
@@ -37,7 +37,7 @@
     image: dessalines/lemmy-ui:0.19.12
     environment:
       - LEMMY_UI_LEMMY_INTERNAL_HOST=lemmy:8536
-      - LEMMY_UI_LEMMY_EXTERNAL_HOST=lemmy.ml
+      - LEMMY_UI_LEMMY_EXTERNAL_HOST={{ domain }}
       - LEMMY_UI_HTTPS=true
     volumes:
       - ./volumes/lemmy-ui/extra_themes:/app/extra_themes

    Edit: Just to be clear, this applies to https://github.com/LemmyNet/lemmy-docs/tree/main/assets which is linked to from https://join-lemmy.org/docs/administration/install_docker.html

  • YSK: If you set up a Lemmy instance, and follow the Docker setup instructions to the letter, it will send lemmy.ml your admin password during the setup process (Edit: Not anymore, it’s fixed now)

    Jump

  • I am not typing here in the hopes that they will fix it. I am typing here to communicate to other users what's up with it. Whether or not to fix it is up to them. You're welcome to your opinion.

  • YSK: If you set up a Lemmy instance, and follow the Docker setup instructions to the letter, it will send lemmy.ml your admin password during the setup process (Edit: Not anymore, it’s fixed now)

    Jump

  • I think it would be very rare that people would put two and two together to realize that their password had been "stolen" by this event. Like I say, I have no real idea even if it is being stolen, just that it would be trivial for .ml to decide that they wanted to start keeping a little cache of everyone's admin email addresses and passwords.

    Like someone else said, if it was anyplace other than lemmy.ml, I wouldn't give it a second thought, it would just be "whoa you gotta fix this." I sort of agree with you that there's not even really any strong indication that there's anything all that bad they could do with it. It's only because lemmy.ml moderation actions already have such a pattern of authoritarian dishonesty that I get to any degree paranoid or alarmed about it.

  • YSK: If you set up a Lemmy instance, and follow the Docker setup instructions to the letter, it will send lemmy.ml your admin password during the setup process (Edit: Not anymore, it’s fixed now)

    Jump

  • Within the last hour, dessalines has posted three things about communism that are longer than the fix for this issue.

    Edit: Everyone's got the right to do whatever they want to do. I'm not trying to accuse anyone of not spending enough time making software for me, just because occasionally they might want to do some other things with their life. The thing I'm trying to emphasize with this is how short the fix is. It's seconds. It's not one of those "but you have to recompile, what about this other branch" or anything like that. It's literally a fairly critical security fix with 100% of the fix in a one-line change to a documentation file.

  • YSK: If you set up a Lemmy instance, and follow the Docker setup instructions to the letter, it will send lemmy.ml your admin password during the setup process (Edit: Not anymore, it’s fixed now)

    Jump

  • Did you use a different admin password when you did the new setup after fixing it? If not, I think you should change your admin password.

  • YSK: If you set up a Lemmy instance, and follow the Docker setup instructions to the letter, it will send lemmy.ml your admin password during the setup process (Edit: Not anymore, it’s fixed now)

    Jump

  • The longer I look at it the more suspicious I am of it, to be honest. I'm just kind of generally a paranoid and accusatory person, so take that into account, but... the files are pretty carefully set up. They have variable substitutions for everything, including a bunch of places where there's a template substitution to change a string around when setting cache keys so that it'll still work out-of-the-box right away, even in complex configurations like multiple domains on a single server. It all works out-of-the-box right away, they've clearly been attentive to making sure it's all set up right and keeps working cleanly as things have been evolving forward. Except for that one place.

  • YSK: If you set up a Lemmy instance, and follow the Docker setup instructions to the letter, it will send lemmy.ml your admin password during the setup process (Edit: Not anymore, it’s fixed now)

    Jump

  • I cannot imagine any responsible dev who would read this notification and say anything other than "Oh shit, yeah, that's really bad," and fix it on the spot before they continue with whatever they had visited Lemmy to do. Like I say, it's relevant that it takes literally seconds to grasp the issue and fix it.

    I don't fully disagree with you, I get it, github issues is where issues with the software belong. I wasn't trying to be a jerk by suggesting that you do it. Anyone from these comments is welcome to. But, also, I am sort of curious about what their reaction will be. Finding out that kind of thing is interesting to me.

    If they are actively uninterested in fixing it, however they get made aware of it, then that's really interesting.

  • World News @quokk.au
    PhilipTheBucket @ponder.cat

    Armenian parliament speaker urges ban on Russian TV broadcasting

    kyivindependent.com /armenian-speaker-urges-ban-on-russian-tv-broadcast
  • World News @quokk.au
    PhilipTheBucket @ponder.cat

    Ukraine’s Contaminated Land: Clearing Landmines With Rakes, Tractors and Drones

    www.bellingcat.com /news/2025/07/02/ukraines-contaminated-land-clearing-landmines-with-rakes-tractors-and-drones/
  • Games @sh.itjust.works
    PhilipTheBucket @ponder.cat

    Boss Fights Have Crazy Secrets

  • Fuck AI @lemmy.world
    PhilipTheBucket @ponder.cat

    Microsoft Copilot falls to Atari 2600 Video Chess

    go.theregister.com /feed/www.theregister.com/2025/07/01/microsoft_copilot_joins_chatgpt_at/
  • World News @quokk.au
    PhilipTheBucket @ponder.cat

    China unveils its new 'graphite bomb' — here's how they work

    kyivindependent.com /china-unveils-its-new-graphite-bomb-06-2025/
  • Fediverse vs Disinformation @lemmy.dbzer0.com
    PhilipTheBucket @ponder.cat

    New York Times makes a pretty eye-popping “revision” to their chart of Mamdami’s support

    electionlawblog.org
  • World News @quokk.au
    PhilipTheBucket @ponder.cat

    EU seals new trade deal with Ukraine, key details still pending

    kyivindependent.com /eu-seals-new-trade-deal-with-ukraine-key-details-still-pending
  • Legal News @lemmy.zip
    PhilipTheBucket @ponder.cat

    How A Recent Supreme Court Decision Affects the President’s Executive Orders Concerning the FEC and the ECA

    electionlawblog.org
  • Legal News @lemmy.zip
    PhilipTheBucket @ponder.cat

    Trump Drops His Suit against Ann Selzer and the Des Moines Register

    electionlawblog.org
  • World News @quokk.au
    PhilipTheBucket @ponder.cat

    More Than One-Third of Tuvalu’s Population Has Applied for a ‘Climate Visa’ to Relocate to Australia

    www.smithsonianmag.com /smart-news/more-than-one-third-of-tuvalus-population-has-applied-for-a-climate-visa-to-relocate-to-australia-180986902/
  • US News @ponder.cat
    PhilipTheBucket @ponder.cat

    Supreme Court to decide whether ISPs must disconnect users accused of piracy

    arstechnica.com /tech-policy/2025/06/supreme-court-to-decide-whether-isps-must-disconnect-users-accused-of-piracy/
  • US News @ponder.cat
    PhilipTheBucket @ponder.cat

    Idaho shooting: Two dead after firefighters ambushed by gunman while responding to fire

    www.theguardian.com /us-news/2025/jun/29/firefighters-idaho-gunman
  • US News @ponder.cat
    PhilipTheBucket @ponder.cat

    Arizona 5th graders plotted to murder boy in bathroom and make it look like suicide, police say

    www.nbcnews.com /news/rcna215096
  • Legal News @lemmy.zip
    PhilipTheBucket @ponder.cat

    The Conservatives On The Supreme Court Are So Scared Of Nudity, They’ll Throw Out The First Amendment

    www.techdirt.com /2025/06/27/the-conservatives-on-the-supreme-court-are-so-scared-of-nudity-theyll-throw-out-the-first-amendment/
  • Fuck AI @lemmy.world
    PhilipTheBucket @ponder.cat

    How Big Tech Is Quietly Taking Over AI (Without Mergers)

  • World News @quokk.au
    PhilipTheBucket @ponder.cat

    Israeli soldiers ‘ordered’ to shoot at unarmed Gaza aid seekers

    www.aljazeera.com /news/2025/6/27/israeli-soldiers-ordered-to-shoot-at-unarmed-gaza-aid-seekers-report
  • World News @quokk.au
    PhilipTheBucket @ponder.cat

    Trump wants to slash war crimes investigation funds

    kyivindependent.com /trump-wants-to-slash-war-crimes-investigation-funds-reuters-reports
  • Videos @lemmy.world
    PhilipTheBucket @ponder.cat

    The Magnetic Shadow Effect

  • Mildly Interesting @lemmy.world
    PhilipTheBucket @ponder.cat

    A New Pyramid-Like Shape Always Lands the Same Side Up

    www.quantamagazine.org /a-new-pyramid-like-shape-always-lands-the-same-side-up-20250625/
  • Technology @beehaw.org
    PhilipTheBucket @ponder.cat

    ICANN angry as AFRINIC election suspended

    www.theregister.com /2025/06/26/icann_letter_afrinic_election_suspended/