Pew pew pew

Everything Wordpress is heavily infested with that. However you don’t have to let it impact you – it kind of looks to me like they pressure commercial vendors to put their stuff under the GPL if they’re wanting to offer a free version, so there’s a robust ecosystem of actually-FOSS tooling for it. My experience has been that it’s always worked pretty well in practice; you just have to keep your nope-I’m-not-paying-for-your-paid-version goggles firmly affixed. (Also, side note, GPT does an excellent job of writing little functions.php snippets for you to enable particular custom functionality for your Wordpress install when you need it.)

Wordpress 1,000% (probably coupled with WooCommerce but there are probably some other options)

I honestly don’t even know off the top of my head why you would use anything else (aside from some vague elitism connected to the large ecosystem of commercial crap which has tainted by association the open source core of it) – it combines FOSS + easy + powerful + popular. You will have to tiptoe around some amount of crapware in order to keep it pure OSS though.

Yep.

There are two big end-user security decisions that are totally mystifying to me about Lemmy. One is automatically embedding images in comments without rehosting the images, and the other is failing to warn people that their upvotes and downvotes are not actually private.

I’m not trying to sit in judgement of someone who’s writing free software but to me those are both negligent software design from an end-user privacy perspective.

Of note about this is that image links in comments aren’t rehosted by Lemmy. That means it would be possible to flood a community with images hosted by a friendly or compromised server, and gather a lot of information about who was reading that community (how many people, and all their IP address and browser fingerprint information, to start with) by what image requests were coming in kicked off by people seeing your spam.

I didn’t look at the image spam in detail, but if I’m remembering right the little bit of it I looked at, it had images hosted by lemmygrad.ml (which makes sense) and czchan.org (which makes less sense). It could be that after uploading the first two images to Lemmygrad they realized they could just type the Markdown for the original hosting source for the remaining three, of course.

It would also be possible to use this type of flood posting as a smokescreen for a more targeted plan of sending malware-infected images, or more specifically targeted let’s-track-who-requests-this-image-file images, to a more limited set of recipients.

Just my paranoid thoughts on the situation.

Not a map, but things I’ve seen on the roads in Boston:

• Left turn only from left lane, straight or left from 2nd lane, straight or left from 3rd lane
• Green light and perpendicular traffic coming to me on the cross street, also going, because they also have a green light
• Two lanes, surprise! Lane markers go away it’s one lane, not defined who yields, you guys can work it out

He’s just trying to help you, dude. lemmy.world is by far the biggest instance; 3x the users of the next biggest instance and much more than most. But, lemmy.world is also defederated from some notable instances like beehaw and hexbear. Another instance which also has in the tens of thousands of users (enough to be subscribed to “most stuff”) might well give you better search results.

You may decide that the defederated-from-here instances aren’t worth bothering with, with some justification, but you came in asking for help, he’s trying to help you, and you’re lecturing him about what’s what. 🙄

Lemmy.world has by far the most number of users. OTOH, it’s defederated from some notable instances, so you might be better off using one of the dedicated search sites if you want to cast the widest net.

Headline’s a little misleading; the thrust of the story is that every search engine is getting worse under the absolutely crushing weight of SEO gaming the system, and they note:

Google’s targeting of SEO and affiliate spam appears to be the most effective, the team found.

s/twitter/fediverse/

Search your feelings, you know it to be true

Removed by mod

Surely all the people who wanted Nazis off Substack will also celebrate the ban on the Hamas flag

Oh wait, the Israeli government is very clearly promoting a violent ideology as well… we need to… outlaw the Israeli flag?

Oh wait

Hang on

Mozilla/5.0 (Android 10; Mobile; rv:121.0) Gecko/121.0 Firefox/121.0.

I just did a bunch of testing. The issue is that final version number, “Firefox/121.0”. Google returns very different versions of the page based on what browser you claim to be, and if you’re on mobile Firefox, it gives you different mobile versions depending on your version:

% wget -O - -nv -U 'Mozilla/5.0 (Android 10; Mobile; rv:62.0) Gecko/121.0 Firefox/41.0' https://www.google.com/ | wc -c
2024-01-08 15:54:29 URL:https://www.google.com/ [1985] -> "-" [1]
    1985
% wget -O - -nv -U 'Mozilla/5.0 (Android 10; Mobile; rv:62.0) Gecko/121.0 Firefox/62.0' https://www.google.com/ | wc -c
2024-01-08 15:54:36 URL:https://www.google.com/ [211455] -> "-" [1]
  211455
% wget -O - -nv -U 'Mozilla/5.0 (Android 10; Mobile; rv:62.0) Gecko/121.0 Firefox/80.0' https://www.google.com/ | wc -c
2024-01-08 15:52:24 URL:https://www.google.com/ [15] -> "-" [1]
      15
% wget -O - -nv -U 'Mozilla/5.0 (Android 10; Mobile; rv:62.0) Gecko/121.0 Firefox/121.0' https://www.google.com/ | wc -c
2024-01-08 15:52:04 URL:https://www.google.com/ [15] -> "-" [1]
      15

If you’re an early version of Firefox, it gives you a simple page. If you’re a later version of Firefox, it gives you a lot more complete version of the page. If you’re claiming to be a specific version of mobile Firefox, but the version you’re claiming (edit: oopsie doesn’t exist or even really make sense didn’t exist when they set this logic up or something), it gets confused and gives you nothing. You could argue that it should default to some sensible mobile version in this case, and they should definitely fix it, but it seems to me like it’s clearly not malicious.

Edit: Wait, I am wrong. I didn’t realize Firefox’s version numbers went up so high. It looks like the cutoff for where the blank pages start coming is at version 65, which is like 2012 era, so not real old at all. I still maintain that it’s probably accidental but it looks like it affects basically all modern mobile Firefoxes, yes.

What’s the user-agent? I’m curious now.

Is this still true? I just tested and it works for me on LibreWolf, both for google.com and google.com.br.

Honestly, Google doing this as a deliberate anti-Firefox measure seems so wildly stupid and counterproductive on their part that I’d assume it was some failure (serving a slightly different version of the page to Chrome as for other browsers, and the non-Chrome side breaks for some reason) before thinking it was malicious.

Fingerprinting doesn’t necessarily mean something nefarious, although in this case it’s a little weird. I’ve used those scripts which track users’ mouse movements and clicks so I can replay visits, just to evaluate how the site is working, and uBlock tends to throw a fit when it finds them on my sites (which I guess is what it’s supposed to do, but still doesn’t mean anything bad was going to happen with the data.)

Depending on the nature of the changes, it might be more advantageous to tell them that it’s easier (i.e. cheaper) to contribute changes upstream, rather than maintaining them separately forever. Also, the good will and reputation boost involved can be significant.

Don’t say it if it isn’t true or anything, but in a lot of cases it’s true.

Yeah. He’s just frustrated. These things happen.

Amendment to my previous comment: Actually, I looked back a little, and in one of my very first messages to him I covered this in I think a pretty crystal-clear manner, and he completely just failed to even acknowledge that part in his response. A lot of his comments continuing to be upset that he couldn’t click on .debs came after that one.

Again, I get why he’s too upset to be receptive to help in terms of understanding the system better. Usually, being upset is the death of being calmly receptive to new information; it just comes across as “telling him it’s his fault.” IDK what I could really do at that point though.

Yeah, that’s fair. If the guy ever does get back to me I’ll make a specific explicit point of that.

I really sympathize with the guy, both because I think the core of his complaint is pretty valid even if he’s confused about some things, and because without even looking in detail I’m sure 100 different people have showed up to tell him how wrong he is and he’s been arguing with 50 of them. He’s probably just stormed away in frustration at this point but if we do wind up talking I’ll make a little more targeted point about it.