Yeah. That function is for adding instances as they are encountered. Your dev server won't initially know about any other instances ('trusted' or not), but as soon as it engages with anything from 'piefed.social', then it will get added to the instance list and the 'trusted' flag will be set to True
piefed.social is hard-coded in the source as a 'trusted instance', so other PieFed instances won't ever send votes to it using alternative profiles. Untrusted instances that receive traffic from PieFed instances will end up generating one row for the main user, and one row for the alt user. It's typically only one extra row (per user), but I think that unticking and ticking 'Vote privately' in settings generates a new random username for the alt everytime, so it could end up being more.
I've complained about the 'trusted instance concept' too ... I've a horrible feeling that it exists to protect piefed.social from the DB bloat it inflicts on everyone else, lol.
It doesn't, no. The bot gets its data from another bot, at https://lemmyverse.net/, which only crawls Lemmy and MBIN instances at the mo.
We'd either need to send a PR to get that bot to crawl PieFed instances too, or just replicate the functionality from the same machine that runs 'tcbot'. Communities would also need to provide their 'active users / month' too. It's just the subscriber count currently, but it shouldn't be too much of a problem hopefully.
I know that the 'Try It Out' commands work for the first server, but I don't know about the other 2 (piefed.social and feddit.online), because it's a whole thing with setting up CORS.
I'd be wary of getting a conversation node from anybody other than the original author (as described in the second approach).
There's a reason why, if you want to resolve a missing post in Lemmy, etc, you have to use the fedi-link to retrieve it from its source, not just from any other instance that has a copy (because, like the "context owner", they could be lying).
For Group-based apps, conversation backfill is mostly an issue for new instances, who might have a community's posts (from its outbox), but will be missing old comments. Comments can be automatically and recursively retrieved when they are replied to or upvoted by a remote actor, but fetching from the source (as you arguably should do) is complicated by instances closing (there's still loads of comments from feddit.de and kbin.social out there - it will be much worse when lemm.ee disappears). So perhaps Lemmy could also benefit from post authors being considered the trusted owner of any comments they receive.
The posts being made to the LW community aren't being made by someone who cares about this comic. They're not genuinely providing anything, they just have a stupid tedious beef with lemmy.ml, and so mindlessly crosspost everything they see posted to an ML community to a non-ML community. This means that if you don't post first, the comic is unlikely to appear at all.
I don't know. It's not something I'm familiar with - it might just default to saying 'closed' if it doesn't have the data.
It's interesting that the obvious bot accounts on those instances were set up in mid-March last year, so I'm guessing that these are somebody's army that they've used before, but overplayed their hand when they turned it on the DonaldJMusk person. The admins can reasonably be blamed for setting up instances with open registrations and no protections and then forgetting about them, but I'd be wary of blaming them for being behind the attack directly. The 'nicole' person is unlikely to have used their own instance - it's probably just someone with the same MO as whoever owns the bots, finding and exploiting vulnerable instances.
lemmy.world recently updated from version 0.19.3 to 0.19.10. This change - for Lemmy communities to federate out posts with the community name as a hashtag - was introduced in 0.19.4, so that might be the other reason why this has only just become an issue for you.
The attacker seems to be the admin of those two instances. Both instances have their registrations closed.
The alternative theory would be that these instances had open registrations, but rightly closed registration down after the admins noticed the bots. chinese.lol is on 0.18.4 with an admin with a 2 year old account, lemmy.doesnotexist.club has an admin with a 1 year account, and it was also that instance that the 'nicole' person has used before. This downvote attack would need to be a long time in the planning for what you're suggesting to be true.
It's harder to detect, but wildly optimistic if they think that people are going to manually type URLs out. It feels like this latest manoeuvre is just to score a win in the arms race against them.
I noticed that a new community - !fedistream@lemmy.world by @Cattail@lemmy.world - has been launched, so maybe there's been an increase that at least one other person has noticed.
I think that's what he meant, yeah (no existing DB migration scripts, etc). I don't know much about it, but I imagine it was probably always going to involve someone more familiar with Lemmy diving into the trenches.
He's mentioned this before, but I've never been able to find an actual PixelFed Group (it doesn't appear to be the same thing as what they call Collections). I'll have another look when pixelfed.social enables them this weekend (but I suspect parsing titles for the posts will be a nightmare).
Also, 'smithereen' is tagged but I'm not sure of its status (all I found was 1 private instance run by the dev, federated with 1 "explicitly-free-speech" Akkoma instance).
I once did some office work for a tobacco company, where you were allowed to smoke at your desk. I don't smoke, but I had a few ciggies when I was there, because you realise that you've never really pointed at anything, until you've pointed at it with a cig in your hand. It's just a better way to point at stuff (I don't make the rules).
