Minor security update, not much to see here.

That's because of a cross-site scripting vulnerability.

Unfortunately it also looks like a bug in Lemmy-ui keeps your stale session cookie even after you've been logged out. If you're having trouble staying logged in, login and then immediately logout. After you login again, it should be persistent, but if not, clear your cookies and go from there.

For those out of the loop, several Lemmy instances such as lemmy.world were hacked.

An update on what happened including steps for mitigation has been posted.

I thought it was worth bringing up seeing as partizle.com has custom emojis and thus vulnerable to the hack.

There was a bit of downtime. Upstream, lemmy had patched Nginx to not broadcast its version. We'd already done that anyway, and the duplicate directive caused downtime while I tracked down the error.

Sorry for the inconvenience.

Also, I reverted the default "theme" from our partizle-blue to Lemmy's default green because it works better for night mode users.

I noticed that you've defederated from lemmygrad and a couple of other sites, but not exploding-heads? What's the deal with that? What's your stance on making this a safe place for people who exploding-heads seems likely to bully?

Lemmy 0.18 has Slack-style emojis. Obviously, we need some custom emojis.

What should they be?

Big upgrade... Hopefully all is well with it.

We did have a few minutes of downtime while we sorted out an issue with how they refactored site icons without a needed migration.

So here's the consensus:

For the time being, we had to switch from open registration to approval registration with email verification. 😭

We'd prefer an open registration system with more robust swatting away of spambots/scammers/whatever. There are technical ways of accomplishing that, but (1) time constraints, (2) none of us know Rust or the Lemmy codebase. Upon running the instance, we have come to understand that Lemmy's moderation/maintenance tools are pretty weak and only designed to react to bad posts/accounts on a 1-by-1 basis. So to keep the instance usable and friendly, we're just putting a speed bump in place for new accounts.

We will still approve basically all the ones we think are real people, but we wanted to keep spambots from being able to signup and post junk without us being able to react in time.

We do hope to return to open registration, perhaps either after Lemmy updates its moderation tools. We've also kicked around starting a kbin instance, since it has perhaps more development momentum. But don't worry, this Lemmy instance isn't going anywhere. And we will look at ways of resuming open registration if we can.

No idea what's new because there are no release notes.

You briefly got "too many redirects" because ansible borked some changes we made to work with Cloudflare.

When @bouncing@partizle.com, @The_iceman_cometh@partizle.com and I started this instance, we figured we'd get a dozen or so signups from people we knew. We left registration open, figuring no one would care because we did exactly nothing to promote this.

It's by any measure still a small instance (~100 users) but even so, moderation of other instances is now a thing: we've blocked some troublesome instances, in particular ones that we suspect traffic in borderline illegal content. We by no means, however, have any good grasp on what's federating to us from the open web.

Sooner or later, bots and spammers and trolls will find our humble little instance. Lemmy's only real remedies for that is an application process and/or verified email. Both to our mind seem useless, because bots can convincingly automate either or both. Cloudflare can keep out the more naive bots, though ratcheting up the security in it causes inconvenience for users, especially ones who protect their privacy (think of captchas you get when using a VPN).

For its part, Lemmy is fun software, but not especially feature-rich. There's really no admin interface to speak of. If you get 100 bot signups, you have to ban them, one at a time. That hasn't happened yet to us, but it has happened to other instances, and it's rough. We've considered even just slapping a Django admin UI on its Postgres database, but we'd need to learn the table structure and also make sure that just updating tables in Postgres is enough (ie, does Lemmy's backend have state in RAM, etc). It's not something we're ready to take on right now.

Anyway, about the possible future of bots and spammers: So what do you guys think? Leave registrations wide open? Require approval? Keep it the way it is, but lean more on Cloudflare for protection?

Well, no one said Lemmy's default email templates are pretty, but they're up. So if you lose your password, you can recover it. If we decided to use applications instead of open registration, that should work now too.

It's just via Mailgun (free tier) so hopefully that does it. Check your spam folder.

66 users isn't a ton, though we're on a super-cheap VPS right now. It isn't really clear how scalable lemmy's software actually is; so far basically the whole lemmyverse has been tiny. Given the way it federates, I'd imagine the demands are not linear.

We're seeing spikes of ~20% CPU. We might upgrade the VPS and consider capping the number of users.

Anyway, I'll bump up the VPS we're on for a bit given the whole Reddit drama. There will be a brief period of downtime while I do so.

[Update] Upgrade complete. 🤘

It looks like we’re now getting federated mod actions from lemmy.ml affecting our side. Since we don’t necessarily agree with their moderation, we’ll look at ways of addressing this.

Needless to say, we’re new to this.

You guys have any thoughts? When we decided to try this, we didn't talk much about whether to say no politics or some politics. I think we all agreed that we don't want yet another "all politics all the time" instance but where do we draw the line?