Skip Navigation

Admins, we're about to have a really bad SPAM problem when Lemmy removes captcha support in v.0.18 - You ALL have a responsibility to communicate back to lemmy devs to try to stop it.

Look, we can debate the proper and private way to do Captchas all day, but if we remove the existing implementation we will be plunged into a world of hurt.

I run tucson.social - a tiny instance with barely any users and I find myself really ticked off at other Admin's abdication of duty when it comes to engaging with the developers.

For all the Fediverse discussion on this, where are the github issue comments? Where is our attempt to convince the devs in this.

No, seriously WHERE ARE THEY?

Oh, you think that just because an "Issue" exists to bring back Captchas is the best you can do?

NO it is not the best we can do, we need to be applying some pressure to the developers here and that requires EVERYONE to do their part.

The Devs can't make Lemmy an awesome place for us if us admins refuse to meaningfully engage with the project and provide feedback on crucial things like this.

So are you an admin? If so, we need more comments here: https://github.com/LemmyNet/lemmy/issues/3200

We need to make it VERY clear that Captcha is required before v0.18's release. Not after when we'll all be scrambling...

EDIT: To be clear I'm talking to all instance admins, not just Beehaw's.

UPDATE: Our voices were heard! https://github.com/LemmyNet/lemmy/issues/3200#issuecomment-1600505757

The important part was that this was a decision to re-implement the old (if imperfect) solution in time for the upcoming release. mCaptcha and better techs are indeed the better solution, but at least we won't make ourselves more vulnerable at this critical juncture.

You're viewing a single thread.

110 comments
  • You ALL have a responsibility to communicate back to lemmy devs to try to stop it.

    No I don't. Stop trying to brigade people to an issue. If you have an issue with it... Fork the lemmy UI code and make your own. Or stay on pre 0.18 code.

    It's one thing to bring awareness to the issue. It's another to demand that I take action on something that's not only a non-issue for me (and likely many other admins of instances) but that the devs don't have to support. You're not paying them... you're not their mother. You don't get to force them to do anything they don't want to do.

    Honestly the captchas that lemmy uses are terrible anyway. https://addons.mozilla.org/en-US/firefox/addon/2captcha-solver/ You can even solve them yourself as a browser extension... There's no point to them in today's world.

    • Exactly, instance admins that want to keep CAPTCHA have two good options here:

      1. Stay on 0.17.x until 0.18.y drops that re-implements CAPTCHA satisfactorily
      2. Fork and modify lemmy to version 0.18-captcha, undo the commit removing the old Captcha code.

      I totally get the project maintainers are stubborn but no one has a "responsibility to stop the devs from doing it". It reeks of open-source entitlement.

      • You won't see me making call to action posts for undelivered features or other small-fry items. I'm a dev, I get it.

        But there are always times were vulnerabilities come up and a dev might not otherwise know that it's being exploited. It's one thing to have a feature to fix that vulnerability and get to it as part of your own priority list. It's another when that vulnerability is actively impacting the people using the software - that's when getting vocal about an issue is appropriate to help me alter my priorities, IMO.

        • Your concerns about security of the application and community are valid. I get that this is essentially a vulnerability that should be mitigated and fixed. Raising awareness of it is fine.

          Where I take issue, I suppose you didn't entirely intend this, is that our responsibility is to put pressure on the main developers to fix the issue before the 0.18 release and dictate their priorities for them.

          I would rather we discuss workarounds, mitigation steps in the interim, assist in solving the issues through Pull Requests and discussion on the issues page and forums. I just think it's a bad idea to point blaming fingers at devs for being slow to respond, or badger them to make these changes, when they are volunteering their own time to share Lemmy with us (some also maintaining Jerboa and Lemmy UI at the same time)

          With the way the licensing is, I would rather the project be forked by someone that would want to fix the issue. The repo maintainers are entitled to set their own priorities, just like Lemmy instance admins are allowed to determine how they run the server.

          • Thank you for the measured take on this.

            You are correct, I don't intend to pressure or cause harm! But I certainly see the results, and it is indeed pressure. As another commenter pointed out, there are many instance admins who work a bit closer to the team on the Matrix chatrooms and that's their preferred method of communication. Now that I know this, I'll let things cool down and join myself. I definitely intend to contribute where I can in the codebase, and I wouldn't dream of escalating to public pressure for smaller concerns.

            However, I have a slight, and perhaps pedantic disagreement about making changes. In this case, the request was for not making a change. If it weren't for the fact that the feature was already ripped out it would be as simple as not removing it (or in this case re-working it a bit). I understand that it isn't the current reality, and that it required work to revert - and if not for a ton of spambots, I think It would've been easier to adapt.

            Ultimately it will take time to discuss workarounds and help others implement them, and the deadline is ultimately the arrival of the version that drops the older captcha (or was, in this case - it's getting merged back in as we speak - might even be done now). With that reality, I had a sense that this could be an existential problem for the early Threadiverse.

            I definitely didn't intend to suggest that the Devs were in any way at fault here. I read the github issues enough to come with the takeaway was that the feedback they were receiving seemed to be "Admins and devs alike are okay moving forward and opinions to the contrary are minimal, let's move forward". It was definitely intended to be a way to communicate using raw numbers (but not harassment). I'd like to think I'm fairly pragmatic in that if it IS working for folks, then that is a contrary opinion, and that it was missing.

            Where I definitely failed was my overly emotional messaging. It's certainly not an excuse, but my recent autism diagnosis does at least help explain why I have an extremely strong sense of justice and can sometimes react in ways that are less than productive in some ways.

            As for the licensing, I agree! I'm talking to some good friends of mine because I want to take my instance WAY further than most others - goal is a non-profit that answers to Tucsonans and residents of larger Pima county rather than someone not in the community. There's just a lot of features this concept would need that it might diverge so much from the Lemmy vision that it needs to be something new - and hopefully a template for hyper-local social networks that can take on Nextdoor.

            • I can see better where our disagreement is, and I appreciate you being reasonable about it as well. Thank you for that.

              Sounds like you have some great plans coming with your Tucson social project. All the best!

      • It reeks of open-source entitlement.

        I used to contribute to a very large open source project. One day I posted a blog about our project not really needing users, except that some small portion of users turned into developers. The users were incensed. "How can you not need us?" It was a "The customer is always right" mindset, except that doesn't work with open source when they're using something they downloaded for free.

        That said, Lemmy might be a special exception, because it's goal is to have a lot of users -- network effects are important to the health and longevity of social media platforms. So Lemmy might actually need the users to be a healthy project. Unfortunately, this will create a bunch of entitled users in the process :/

        • "The customer is always right" mindset, except that doesn't work with open source when they're using something they downloaded for free.

          You've put your finger on the thing that was bothering me about the tone of the original post - it's very similar to a Nextdoor post.

        • Eh, this situation seems more like the "admins"/power users of the software saying "How can you not need us?" - and for them, that's more of a point. These are the people who submit bug reports, code features or plugins on a weekend, and generally turn your one product into a rich ecosystem of interconnected experiences. One can argue that the project doesn't technically require their participation, but they do enhance the project in many different ways.

          open-source entitlement is a thing, but I'm not sure that this is the same thing. I for one would be happy to submit changes (and even have a couple brewing for my own use on my instance). Just don't make the spam problem worse in the meantime by pushing out a version that's missing a crucial (if imperfect) feature.

    • They've now said they're open to a PR that implements captchas in 0.18, which will require new work since it's not just a matter of reverting the removal from 0.17. I look forward to seeing OP's submission.

      • Looks like someone already opened a PR to roll back to a retrofitted solution (I had to wait until the weekend before I could find the time to work on this).

        The devs are willing to accept a retro-fitted captcha (rather than just mCaptcha) in time for v0.18 and they communicated as such about 9 hours ago (for me). So for me, my push for visibility is complete unless they block the incoming PR for whatever reason. The devs have been made aware that this is contentious and the community could be impacted negatively and they see the need for it.

        For me, that indicates that the Lemmy devs will listen to key, important issues, that impact the health of the larger fediverse as long as the community is clear about what the largest issues actually are.

        A lot of folks here characterized me as someone wanting to "brigade", but that's not quite true. I just know that sometimes developers don't know what's going on with admins unless the admins are loud, clear, and coordinated. That doesn't mean that I was asking folks to "force" the devs to do anything or be abusive, just that enough feedback might convince them to see things from a different perspective than a perfect technical solution.

        • A lot of folks here characterized me as someone wanting to “brigade”, but that’s not quite true. I just know that sometimes developers don’t know what’s going on with admins unless the admins are loud, clear, and coordinated.

          The language of your post was quite hostile and painted (and continues to paint) the developers as being out of touch with instance admins. The instance admins are already "loud, clear and coordinated", and are working in full communication with the maintainers.

          ...and I find myself really ticked off at other Admin’s abdication of duty when it comes to engaging with the developers.

          The majority of PR's coming into the project are coming from instance admins seeking to solve their personal pain points.

          Both the issue and the PR you're referring to were created by ruud, the admin of the single largest Lemmy instance, lemmy.world. Both your signaling to this issue and the outcry it attempted to rally were completely unnecessary.

          • The language of your post was quite hostile and painted (and continues to paint) the developers as being out of touch with instance admins. The instance admins are already “loud, clear and coordinated”, and are working in full communication with the maintainers.

            Right now the instance admins that I'm working with are largely independent with only a couple of outliers. The newer instances that have just joined the fediverse didn't really echo back their concerns. So while you're statement might be true (I dunno, I don't see any coordination, and it's not always clear what admin concerns are important.) the rapid growth has brought even more stakeholders and admins to the fediverse. Some far less technical than others. I'm going to need more proof of deeper coordination, because as it stands many Admins say "Devs are tankies" and refuse to federate with the maintainer's instance, let alone contribute code or money.

            The majority of PR’s coming into the project are coming from instance admins seeking to solve their personal pain points. Both the issue and the PR you’re referring to were created by ruud...

            This is a new phenomenon, the total lines of code written by the primary devs are still much larger than any other combination of PRs. I don't envy the position of having to sort through thousands upon thousands of PRs that may or may not coincide to the project's vision or code quality standards. Rolling back to a known prior state is almost always lower effort than minting a fresh new implementation.

            Also, ruud did not create the PR I'm referring to, that honor goes to TKillFree. Heck, why do you think I'm attacking the author here rather than trying to bring more weight to his Github issue? It's because of ruud that I even know what's going on - and the instance admins I know were pretty clueless about the pending change.

            I'll grant you that my tone and signalling needs work, but I do think that an attempt to rally more folks did indeed influence the solutions that the maintainers were willing to accept. From "New, better implementation only - remove the existing flawed one now" to "Okay we can keep the flawed method, but we need an enhanced version and soon".

            At this point its hard to tell because we don't live in a universe where I didn't make that post to compare. Maybe you're right and this would've all shaken out eventually.

            • Right now the instance admins that I’m working with are largely independent with only a couple of outliers. The newer instances that have just joined the fediverse didn’t really echo back their concerns. So while you’re statement might be true (I dunno, I don’t see any coordination, and it’s not always clear what admin concerns are important.) the rapid growth has brought even more stakeholders and admins to the fediverse.

              Are you in the Matrix server? This is where the coordination is happening between both maintainers and the development community, as well as playing out across Github issues.

              I’m going to need more proof of deeper coordination, because as it stands many Admins say “Devs are tankies” and refuse to federate with the maintainer’s instance, let alone contribute code or money.

              You just said you're only interacting with a small group of independent admins, but now you're making a conflated statement of "many Admins". They have a right to their opinion, but they can't also expect the maintainers and devs/admins who are contributing code to listen to their demands when they're bringing nothing to the table except complaints and personal attacks.

              You have the choice to either support with code, support with money, or be happy with what you got for free and if you don't like something you can make changes to it yourself.

              The only reason you got what you wanted in the end was because someone else put in the work to make it happen, which I'm certain would have happened regardless of your post because it was already being raised both in the Matrix channel amongst other admins as well as by ruud.

              • Guess I best get over there then. Sounds like a place to voice my concerns without resorting to public appeals.

                You just said you’re only interacting with a small group of independent admins, but now you’re making a conflated statement of “many Admins”.

                I can be working with a small set of independent instance admins (brought together by a newer instance and discussions mostly through discord) and I've helped them test a few things and our little discord meta-community is already constructing new features, auto-posting bots of different types (RSS feeds, even posts, etc), and a few other things.

                However, this is different from "Most Admins" where my interactions are largely based in the meta/support channels for other instances. This is a much more confusing population to me since many were exposed to the entire "Lemmy is for Authoritarian Communists" that was making the rounds on reddit. It's resulted in a newer cohort of Admins that aren't nearly as friendly to the development team.

                The only reason you got what you wanted in the end was because someone else put in the work to make it happen

                Nah, I would've made the change myself, but it wouldn't do a darn thing because it depends on the inherent security of less technical admins. This project is as much impacted by individual decisions as they are collective ones.

                And until the maintainers changed their mind, they likely wouldn't have allowed a resurrection of the old Captcha anyways - so your point about another person "doing the work" only was really possible once the maintainers communicated that it was acceptable. Because, as stated in my previous point, an individual instance with this change (reverting captcha) doesn't protect them from instances that don't.

                This all points back to my original point which revolves around new admins understanding the importance of engaging the maintainers and making themselves heard. The fact that people who already do this took offence to my post is a little bizarre because I'm clearly not talking about the people who haven't been communicating.

                Sure, those who've been with the Fediverse for a bit are familiar with Matrix and how to use it to communicate back to the core developers. But the new influx of instances and their admins either A - don't know where to go, B - don't care, or C - are so ideologically opposed to the rumors they want nothing to do with them.

110 comments