PhilipTheBucket

joined 11 months ago
MODERATOR OF
palestine
phys
scientificamerican
globalnews
nytimes
techdirt
world
bbc
theregister
natureismetal
kotaku
hackaday
kyivindependent
usa
propublica
theguardian_us
bbc_us
404media
arstechnica_index
pcgamer
aljazeera
smithsonianmag
nymag_intelligencer
pravda
theatlantic
electionlawblog
thedailyshow
mongabay
motherjones
sorted by: new top controversial old
YSK: If you set up a Lemmy instance, and follow the Docker setup instructions to the letter, it will send lemmy.ml your admin password during the setup process (Edit: Not anymore, it’s fixed now) in c/youshouldknow@lemmy.world
[–] PhilipTheBucket@ponder.cat 3 points 17 hours ago

The relevant repo is:

https://github.com/LemmyNet/lemmy-docs

If you wanted to submit a PR, I think that would be a good idea. I've posted the patch elsewhere in the comments.

YSK: If you set up a Lemmy instance, and follow the Docker setup instructions to the letter, it will send lemmy.ml your admin password during the setup process (Edit: Not anymore, it’s fixed now) in c/youshouldknow@lemmy.world
[–] PhilipTheBucket@ponder.cat 14 points 17 hours ago* (last edited 17 hours ago) 
***
a/docker-compose.yml	2025-07-12 00:17:33.050443300 +0000
+++ b/docker-compose.yml	2025-07-12 00:18:21.038972526 +0000
@@ -37,7 +37,7 @@
     image: dessalines/lemmy-ui:0.19.12
     environment:
       - LEMMY_UI_LEMMY_INTERNAL_HOST=lemmy:8536
-      - LEMMY_UI_LEMMY_EXTERNAL_HOST=lemmy.ml
+      - LEMMY_UI_LEMMY_EXTERNAL_HOST={{ domain }}
       - LEMMY_UI_HTTPS=true
     volumes:
       - ./volumes/lemmy-ui/extra_themes:/app/extra_themes

Edit: From https://github.com/LemmyNet/lemmy-docs/tree/main/assets

YSK: If you set up a Lemmy instance, and follow the Docker setup instructions to the letter, it will send lemmy.ml your admin password during the setup process (Edit: Not anymore, it’s fixed now) in c/youshouldknow@lemmy.world
[–] PhilipTheBucket@ponder.cat 9 points 17 hours ago* (last edited 17 hours ago) 
***
a/docker-compose.yml	2025-07-12 00:17:33.050443300 +0000
+++ b/docker-compose.yml	2025-07-12 00:18:21.038972526 +0000
@@ -37,7 +37,7 @@
     image: dessalines/lemmy-ui:0.19.12
     environment:
       - LEMMY_UI_LEMMY_INTERNAL_HOST=lemmy:8536
-      - LEMMY_UI_LEMMY_EXTERNAL_HOST=lemmy.ml
+      - LEMMY_UI_LEMMY_EXTERNAL_HOST={{ domain }}
       - LEMMY_UI_HTTPS=true
     volumes:
       - ./volumes/lemmy-ui/extra_themes:/app/extra_themes

Edit: Just to be clear, this applies to https://github.com/LemmyNet/lemmy-docs/tree/main/assets which is linked to from https://join-lemmy.org/docs/administration/install_docker.html

YSK: If you set up a Lemmy instance, and follow the Docker setup instructions to the letter, it will send lemmy.ml your admin password during the setup process (Edit: Not anymore, it’s fixed now) in c/youshouldknow@lemmy.world
[–] PhilipTheBucket@ponder.cat 5 points 17 hours ago (4 children)

I am not typing here in the hopes that they will fix it. I am typing here to communicate to other users what's up with it. Whether or not to fix it is up to them. You're welcome to your opinion.

YSK: If you set up a Lemmy instance, and follow the Docker setup instructions to the letter, it will send lemmy.ml your admin password during the setup process (Edit: Not anymore, it’s fixed now) in c/youshouldknow@lemmy.world
[–] PhilipTheBucket@ponder.cat 40 points 18 hours ago

I think it would be very rare that people would put two and two together to realize that their password had been "stolen" by this event. Like I say, I have no real idea even if it is being stolen, just that it would be trivial for .ml to decide that they wanted to start keeping a little cache of everyone's admin email addresses and passwords.

Like someone else said, if it was anyplace other than lemmy.ml, I wouldn't give it a second thought, it would just be "whoa you gotta fix this." I sort of agree with you that there's not even really any strong indication that there's anything all that bad they could do with it. It's only because lemmy.ml moderation actions already have such a pattern of authoritarian dishonesty that I get to any degree paranoid or alarmed about it.

YSK: If you set up a Lemmy instance, and follow the Docker setup instructions to the letter, it will send lemmy.ml your admin password during the setup process (Edit: Not anymore, it’s fixed now) in c/youshouldknow@lemmy.world
[–] PhilipTheBucket@ponder.cat 2 points 18 hours ago* (last edited 18 hours ago) (12 children)

Within the last hour, dessalines has posted three things about communism that are longer than the fix for this issue.

Edit: Everyone's got the right to do whatever they want to do. I'm not trying to accuse anyone of not spending enough time making software for me, just because occasionally they might want to do some other things with their life. The thing I'm trying to emphasize with this is how short the fix is. It's seconds. It's not one of those "but you have to recompile, what about this other branch" or anything like that. It's literally a fairly critical security fix with 100% of the fix in a one-line change to a documentation file.

YSK: If you set up a Lemmy instance, and follow the Docker setup instructions to the letter, it will send lemmy.ml your admin password during the setup process (Edit: Not anymore, it’s fixed now) in c/youshouldknow@lemmy.world
[–] PhilipTheBucket@ponder.cat 7 points 18 hours ago (1 children)

Did you use a different admin password when you did the new setup after fixing it? If not, I think you should change your admin password.

YSK: If you set up a Lemmy instance, and follow the Docker setup instructions to the letter, it will send lemmy.ml your admin password during the setup process (Edit: Not anymore, it’s fixed now) in c/youshouldknow@lemmy.world
[–] PhilipTheBucket@ponder.cat 76 points 18 hours ago (10 children)

The longer I look at it the more suspicious I am of it, to be honest. I'm just kind of generally a paranoid and accusatory person, so take that into account, but... the files are pretty carefully set up. They have variable substitutions for everything, including a bunch of places where there's a template substitution to change a string around when setting cache keys so that it'll still work out-of-the-box right away, even in complex configurations like multiple domains on a single server. It all works out-of-the-box right away, they've clearly been attentive to making sure it's all set up right and keeps working cleanly as things have been evolving forward. Except for that one place.

YSK: If you set up a Lemmy instance, and follow the Docker setup instructions to the letter, it will send lemmy.ml your admin password during the setup process (Edit: Not anymore, it’s fixed now) in c/youshouldknow@lemmy.world
YSK: If you set up a Lemmy instance, and follow the Docker setup instructions to the letter, it will send lemmy.ml your admin password during the setup process (Edit: Not anymore, it’s fixed now) in c/youshouldknow@lemmy.world
YSK: If you set up a Lemmy instance, and follow the Docker setup instructions to the letter, it will send lemmy.ml your admin password during the setup process (Edit: Not anymore, it’s fixed now) in c/youshouldknow@lemmy.world
[–] PhilipTheBucket@ponder.cat 115 points 18 hours ago (40 children)

I think it should be more public knowledge than just people who peruse the github issues. Also, it's so trivial to fix that it will save them some time if they don't have to close the issue after they spend literally 10-15 seconds fixing it.

I Randomly Decided To Pay Off A School’s Lunch Debt. Then Something Incredible Happened. in c/humanities@beehaw.org
[–] PhilipTheBucket@ponder.cat 11 points 20 hours ago

What if the emotional resonance of specific, concrete actions is precisely what builds the coalition necessary for systemic change?

People familiar with Paul Farmer said that his involvement with individual direct patients on a constant and ongoing basis was a big part of why he could spend his other time on globe-spanning improvements to the global health system and have it have some kind of real positive impact.

9
France Risks Following America’s Bad Example (jacobin.com)
20
Russia eyes USAID-type development model to expand global influence (kyivindependent.com)
14
Only Criminals Don’t Want To Be Gassed By The Government (www.popehat.com)
48
Pam Bondi Responds to Criticism About Jeffrey Epstein (www.mediaite.com)
13
Trump complains about Putin’s ‘bullshit’ (www.theguardian.com)
71
The entire command of Russia's elite 155th Guards Naval Infantry Brigade has been wiped out (www.the-express.com)
75
Browser hijacking campaign infects 2.3M Chrome, Edge users (www.theregister.com)
21
Trump Administration Wants to Enter into a Consent Decree that Would Allow Churches and Other Religious Organizations to Get More Directly Involved in Electoral Politics Despite the “Johnson Amendment (electionlawblog.org)
21
SCOTUS Porn Ruling A Boon For Age Verification Companies; 40% Of Americans Now Live Under Anti-Porn Age-Gating Laws (www.techdirt.com)
38
Ted Cruz ensured Trump spending bill slashed weather forecasting funding (www.theguardian.com)
136
"We must always be critical of all governments and politicians." "Hey, do you have anything critical to say about Russia and Putin?" "I mainly focus and share about the United States" (ponder.cat)
 
57
Ted Cruz Kept Sightseeing as Desperate Rescue Crews Searched for Missing Kids in Texas Floods (www.thedailybeast.com)
view more: ‹ prev next ›