Ehhh. As much as I have annoyances with the devs on some issues, I think that it’s more that it’s just hard to design a distributed system like this without thinking of all the tradeoffs and security and privacy issues.
Like, there were some cross-site scripting issues in the past in lemmy. I didn’t spend a lot of time looking into them, but there were some web dev types who were kinda scathing, said that this is something that an experienced Web dev should know about. But I don’t think that the lemmy devs thought “oh, let’s add cross-site scripting security holes”. I think that it was probably just that they didn’t have someone with a lot of Web security experience – which is its own little unique field – looking at what they were doing.
If you want to permit for inline images – which may or may not be a good idea, agree that they aren’t essential – then there are going to be tradeoffs. If you have a user’s home instance fetch and serve all the images, which is what they do with comment text, then that avoids exposing a user’s IP on comment view to random other people…but then it also increases bandwidth costs to run a lemmy instance. Maybe by a lot. And if instances are mutating comments to redirect images to be versions that they host, then if you want to do pubkey/privkey signing of comments, which might be a good idea down the road, then you’re gonna introduce more complexity, because that’d invalidate a comment’s signature. Lemmy would have to do something like expose both the original comment and the mutated comment and let a client validate the signature. Maybe have a signature on images to ensure that another instance isn’t just replacing the images with something else. But then that maybe breaks if a remote site generates an image dynamically and its content changes every time it’s served. Lot of tradeoffs and unintended side effects. And it’s a distributed system with different people who may or may not trust various other people to do various things and may not all agree on what acceptable risks are.
I get the impression that lemmy’s designers wanted to build a meme propagation system rather than a discussion forum. Well they got what they wanted.
Ehhh. As much as I have annoyances with the devs on some issues, I think that it’s more that it’s just hard to design a distributed system like this without thinking of all the tradeoffs and security and privacy issues.
Like, there were some cross-site scripting issues in the past in lemmy. I didn’t spend a lot of time looking into them, but there were some web dev types who were kinda scathing, said that this is something that an experienced Web dev should know about. But I don’t think that the lemmy devs thought “oh, let’s add cross-site scripting security holes”. I think that it was probably just that they didn’t have someone with a lot of Web security experience – which is its own little unique field – looking at what they were doing.
If you want to permit for inline images – which may or may not be a good idea, agree that they aren’t essential – then there are going to be tradeoffs. If you have a user’s home instance fetch and serve all the images, which is what they do with comment text, then that avoids exposing a user’s IP on comment view to random other people…but then it also increases bandwidth costs to run a lemmy instance. Maybe by a lot. And if instances are mutating comments to redirect images to be versions that they host, then if you want to do pubkey/privkey signing of comments, which might be a good idea down the road, then you’re gonna introduce more complexity, because that’d invalidate a comment’s signature. Lemmy would have to do something like expose both the original comment and the mutated comment and let a client validate the signature. Maybe have a signature on images to ensure that another instance isn’t just replacing the images with something else. But then that maybe breaks if a remote site generates an image dynamically and its content changes every time it’s served. Lot of tradeoffs and unintended side effects. And it’s a distributed system with different people who may or may not trust various other people to do various things and may not all agree on what acceptable risks are.