emma

emma wrote

there's no need to educate all the guests. eugen and a handful of other devs in the fediverse space have the power to fix this, and when they do, it'll solve the problem in the long term as instances upgrade to newer versions. usually a software bug would be limited to the users of that software, but in this case it negatively affects the web around it, so i don't think this is too much to ask.

5

emma wrote

wasn't it supposed to be based on peer-to-peer communications

the peers, or mastodon instances in this case, are inherently untrustworthy under the open federation model that forms the "fediverse". i presume the reason they chose not to federate preview info is that it can't be verified without refetching it from the origin.

to give an example of how this can be abused, i could set up a malicious instance and make toots that link to my enemies' websites, and have the preview title say "here's how i murdered someone and hid their body", but the actual website doesn't say that. this fake title would then propagate to other instances, and people might believe the website i linked to actually said that at one point in time.

3

emma wrote

Makes me appreviate how Signal does sender-side link-previews to only make one request to the linked server per story

this is that, but each mastodon server has to fetch its own preview, which is why a billion sudden requests happen at once

But this also sounds like they could also just serve a cached page that didn't use php capacity?

yeah, you can serve cached pages if you know how, and the thing that's linked doesn't require server-side recomputing, but caching introduces a bunch of complexity and prerequisites that have to be met, and i've never seen a cheap web host offer this capability.

the onus shouldn't be on the webmaster to prepare for a huge burst of requests. mastodon instances should behave as good netizens. if the integrity of previews is so important that each server must do its own independent fetching, then perhaps they shouldn't do previews at all.

5

emma wrote

A lot of fediverse software unfortunately just immediately uploads your image to the server (probably so that you can add the alt text immediately as well)

i think it's because developers have been poisoned into believing multipart/form-data is a bad thing, since it doesn't fit neatly into the REST paradigm. images could be handled entirely on the client side until it comes time to actually post them, allowing for the alt text stuff to happen.

it's pretty funny that lemmy has all those deficiencies, but i don't believe they're in violation of the gdpr. the right to be erasure only requires that data is deleted without undue delay, and doesn't require an automated self-service process. the EU defines "undue delay" as up to a month, or in some cases, three.

7

emma wrote

they don't cache the entire server. generally, they pass the request on to raddle if it hasn't been flagged as malicious. most endpoints won't be cached, because doing so could potentially expose secrets in the html that's served to logged in users. for images, they do cache these, which saves several 100 gigs each month.

we do have to trust that cloudflare won't retain private responses longer than they have to, but that's true of the hosting provider as well.

6

emma wrote

Are we simply trusting that they are using the same code?

Pretty much, yeah.

In theory, you can verify it's built on the source by compiling it yourself and comparing the output to the prebuilt version. There's a whole methodology called reproducible builds meant to enable this verification, and supposedly Signal supports this.

19

emma wrote

I keep telling people we should just tack "-over-HTTPS" to every network protocol so we can leverage the affordable, widely available DDoS mitigation infrastructure that's meant to protect websites.

SourceHut looks nice, and if I were still actively programming, I'd gladly try it out. It sucks to see this happen.

9

emma wrote

Reply to comment by 2elddar in Free Software vs. Open Source by plank60

Good god that thread is funny. Threats of reporting the copyright holder to some ominous group for violating their own rights as the copyright holder.

I can see that you are active in other threads, you are breaking the contract (GPL3) by not sending me sources. You are being illegal.

Best imagined as dialogue from Ace Attotney.

Idk why, but any discussion about copyright and free software just seems to invite a ton of insights from people who don't have even a basic understanding of any of them, as demonstrated both in that thread and here.

7

emma wrote

back when GitHub switched away from master/slave branches.

Gonna expand on this a bit. Git, the technology that Github uses, had 'master' as the default branch name, but 'slave' wasn't used anywhere. However, one version control system that inspired Git did use it, therefore it was argued that Git's use of 'master' was part of the master/slave dichotomy.

I was one of those who renamed branches from 'master' to 'main' back when the George Floyd thing happened, but in hindsight I feel it was an incredibly performative action to take. Not only was the rationale incredibly contrived, but the tech companies that pushed for this were also perfectly happy selling their services to a US government agency that hunts down immigrants, breaks up their families, and locks them in cages. So from my perspective, that whole endeavour was incredibly pointless, and played into a PR campaign to launder the reputation of harmful companies.

But that's just my perspective as a white person living in Europe, and maybe other people here feel differently about it. If anyone has perspectives to share about either 'master' or 'whitelist', please let me know, as I'll take these into account when deciding whether to change the wording in Postmill or not.

9

emma wrote

Autocomplete is as much cheating as using a premade template.

I don't agree with this, like this is one of the benefits of having a schema, and is painful to work without once you've gotten used to having it.

Even if you weren't using autocomplete, it's much easier to search through documentation for <tag> than it is to search for array/object structures.

But would you not still be at the mercy of your editor having an autocomplete plugin for the specific XML schema you're using?

No, the XML schema is just an XML document describing how other XML documents that use it should be structured. So you need one editor and/or plugin that supports such schemas, and then you have autocomplete for all your XML documents.

For the same reasons, if you have a schema, then you can perform the same validation of XML documents anywhere.

To some degree, this can be achieved with JSON using JSON Schema, but it's not as ubiquitiously supported as XML.

Do other languages not have equivalents?

They do, but you easily end up with discrepancies in how two systems would parse the same document without using a schema when everyone's defining their own way of validating stuff.

I've got nothing to add here, I just want to thank you for vindicating my nightmares

No problem. Thank you for attending my In Defence of XML TED Talk.

3