nutomic

What is this "stance on mod features" that you are talking about?

Im a former contributor to F-Droid with various merged pull requests. Looking at the indicated pull request I really doubt that it was an intentional attack. First of all its easy to forget for a new developer to escape SQL parameters, and the docs dont even mention a risk of SQL injection attacks. And of the users pushing for the PR to be merged, one is a long-time F-Droid contributor, and the other also looks like a real human with many contributions in other repos, so no sockpuppets in sight.

It simply looks like standard open source behaviour, for better or for worse. A new user makes a contribution for a highly demanded feature, and users want it to get merged as soon as possible. Maintainers are discussing the big picture of the change and want to avoid breaking changes, without getting into code review yet. The new contributor seems unwilling to make any design changes to his PR, and gets frustrated that it doesnt get merged as is. The potential vulnerability is only noticed half a year after the PR was opened, at which point it was already de facto abandoned. So not an attack, but simply a developer who is new to open source and doesnt understand how the process works.

We applied for funding last August, but unfortunately we are still waiting for it to be finalized. Seems like NLnet is quite overloaded these days.

The Activitypub protocol is fine. It could use some minor improvements but there's definitely no reason for an entirely new protocol.

I still remember your name from the early days, it's great that you stuck around! How much Lemmy changed in these few years...

We only do major versions around once a year so those could still be named, while using numbers for minor versions. Lemmy is more user-facing than react, so it would make sense to have a more user-friendly versioning.

We didnt make any changes to the Lemmy version running on this instance during the past week. So it must be something else...

The problem is that a server could very easily lie and claim to have captchas when it really doesnt.

Someone on in the Matrix chat tried this and didnt have any problems.

I see now, if an instance has any site languages configured those will be applied for new users. You can see it in /api/v3/site field discussion_languages. However both lemmy.world and lemm.ee return all languages there.

Edit: Im removing this as part of the PR to set new user languages from accept-language header, it doesnt make sense anymore with that.

Yes contributions to improve this interface would definitely be welcome.

There was a bug with KBin some days ago where it would send huge amounts of federation activities to Lemmy instances which would overload them. To mitigate this, lemmy.world and some other instances had to block kbin.social. I believe the .world admins tried to get in contact with @ernest@kbin.social. You can read some more details here.

I would also suggest that you and Ernest join the Lemmy Admin chat on Matrix where this problem was found and discussed.