I've been having trouble keeping this instance up - right now, it's a problem with proxy errors between the docker containers as well as with the Ansible scripts. It's taking too much time to maintain.
I'll do my best to keep the server up until 31 Oct 2023. After that, it will likely be shut down.
Hey all! You may have noticed that Wayfarers' Haven has been down. I noticed, too, but didn't have time to get to it until the weekend.
It turns out that the docker images had become so bloated that there was no longer enough disk space to do anything at all. A simple docker system prune -a --volumes sorted that right out and I'll set a cron job to handle that going forward.
With that said, this simple issue showed the vulnerabilities of an instances with a single admin. I'm sorry for the downtime and confusion. Personally, I'll be creating a backup user on other instances using this tool: https://github.com/CMahaff/lasim
Recap of the Lemmy XSS incident & steps for mitigation - LemmyWorld > Wayfarers' Haven approach
Recap of the Lemmy XSS incident & steps for mitigation - Lemmy.world
https://lemmy.world/post/1293336
# UPDATE: The latest RC version of Lemmy-ui (0.18.2-rc.2) contains fixes for the issue, but if you believe you were vulnerable, you should still rotate your JWT secret after upgrading! Read below for instructions. Removing custom emoji is no longer necessary after upgrading. Original post follows: ---- This post is intended as a central place that admins can reference regarding the XSS incident from this morning. ### What happened? A couple of the bigger Lemmy instances had several user accounts compromised through stolen authentication cookies. Some of these cookies belonged to admins, these admin cookies were used to deface instances. Only users that opened pages with malicious content during the incident were vulnerable. The malicious content was possible due to a bug with rendering custom emojis. Stolen cookies gave attackers access to all private messages and e-mail addresses of affected users. ### Am I vulnerable? If your instance has ANY custom emojis, you are vulnerable. Note that it appears only local custom emojis are affected, so federated content with custom emojis from other instances should be safe. ### I had custom emojis on my instance, what should I do? This should be enough to mitigate now: 1. Remove custom emoji DELETE FROM custom_emoji_keyword; DELETE FROM custom_emoji; 2. Rotate your JWT secret (invalidates all current login sessions) -- back up your secret first, just in case SELECT * FROM secret; -- generate a new secret UPDATE secret SET jwt_secret = gen_random_uuid(); 3. Restart Lemmy server If you need help with any of this, you can reach out to me on Matrix (@sunaurus:matrix.org) or on Discord (@sunaurus) ### Legal If your instance was affected, you may have some legal obligations. Please check this comment for more info: https://lemmy.world/comment/1064402 [https://lemmy.world/comment/1064402] ##### More context: https://github.com/LemmyNet/lemmy-ui/issues/1895 [https://github.com/LemmyNet/lemmy-ui/issues/1895] https://github.com/LemmyNet/lemmy-ui/pull/1897 [https://github.com/LemmyNet/lemmy-ui/pull/1897]
You'll probably have heard about Meta's Threads which is a Twitter replacement running on Activity Pub - that means that it can and likely will federate with the rest of the Fediverse.
There are strong feelings about this, from petition: Defederate any instances that federates with threads proactivly , add threads.net on blocklists everywhere., citing the triple E problem. Then there are other opinions where it's worth creating a place for everyone and having access to the Threads content from the Fediverse without using the Threads interface.
My initial thought here is to wait and see. I don't think immediate action is going to matter all that much and defederation literally takes a few clicks. This is a tiny instance and one of its strengths is being able to connect to everyone else.
What are your thoughts?
Quick server update:
Upgraded to Lemmy 0.18.1 - lots of goodies including new themes in the user profile, better new/active/hot filtering, etc. See full changelog for more details.
Checked the server status:
- Currently using 18/40GB of storage. Lemmy itself is using about 11 GB with half going to images and half to the database. This isn't what we're uploading ourselves but due to federation.
- CPU and RAM usage seem to be comfortable.
- Checked into upgrade options on Hetzner - these will be reasonable. I can continue with the 3,90 euro/month package for the moment.
cross-posted from: https://startrek.website/post/209066
We've been investigating some recurring issues with the user experience on the instance, and have traced it back to the way Lemmy handles language settings.
Here's the TL;DR on how to ensure you see all of the content on this instance:
In your user settings, make sure "Language" is set to both "English" and "Undetermined".
On desktop, you can use CTRL+click to select both options.
This will allow you to see content for which the author has not set a language, and content which has been set to "English".
Lemmy.world Admin Response to Defederation from Exploding Heads - Lemmy.world
https://lemmy.world/post/747912
We’re closing this thread. Everything that could be said has been said. Thank you ---------- Original Post: Today, we want to inform everyone that we have decided to defederate from https://exploding-heads.com/ [https://exploding-heads.com/]. We understand that defederating should always be a last resort, and individuals can certainly block communities. However, blocking alone does not prevent potential harm to vulnerable communities. After carefully reviewing the instance, reported posts, and multiple comments from the community, we have concluded that exploding-heads is not adhering to the Lemmy or Citizen Code of Conduct. Therefore, we cannot, in good faith, continue to federate with an instance that consistently promotes hate, racism, and bullying. Examples: https://lemmy.world/post/577526 [https://lemmy.world/post/577526] - Community Moderator Harassment https://exploding-heads.com/post/92194 [https://exploding-heads.com/post/92194] - Systemadmin Post https://exploding-heads.com/post/90780 [https://exploding-heads.com/post/90780] - Systemadmin Post https://exploding-heads.com/post/91488 [https://exploding-heads.com/post/91488] - Systemadmin Post https://exploding-heads.com/post/93725 [https://exploding-heads.com/post/93725] - Community Moderator Post Again, deciding to defederate from an instance is not taken lightly. In the future, we will continue to review instances on a case-by-case bases. As for our community, please refrain from posting or commenting with hateful words as well. Arguing back and calling people names is not the solution. The best course of action is to report the posts or comments violating our server rules. Lemmy Code of Conduct https://join-lemmy.org/docs/code_of_conduct.html [https://join-lemmy.org/docs/code_of_conduct.html] Citizen Code of Conduct https://github.com/stumpsyn/policies/blob/master/citizen_code_of_conduct.md [https://github.com/stumpsyn/policies/blob/master/citizen_code_of_conduct.md] “We are committed to providing a friendly, safe, and welcoming environment for all, regardless of level of experience, gender identity and expression, sexual orientation, disability, personal appearance, body size, race, ethnicity, age, religion, nationality, or other similar characteristic.”
LemmyTools
https://greasyfork.org/en/scripts/469169-lemmytools
A small suite of tools to make Lemmy easier.
https://join-lemmy.org/news/2023-06-17_-_Update_from_Lemmy_after_the_Reddit_blackout
Email works! I have spent hours troubleshooting this and finally found a solution. This should make the sign-up flow easier - and now I'll also get notifications when we have new sign-ups.
That solves the final real problem for this server. Let's see where we go from here!