The goalposts didn’t shift, you started talking to a different person.

This person says that this issue is small, the impact of exploiting this system would be minor (if it ever happened), and the hypothetical attack on this subsystem is also demonstrably not occurring.

Therefore, treating this issue as if it were some sort of red-line issue or, really, even worth discussing outside of the context of the project itself (where changes can actually be implemented) is misrepresenting reality.

As to your direct point, it wasn’t my point but I do agree with it so I’m happy to directly address your argument.

The quote you seem to take issue with was :

Wait, Digg gave the community to a Reddit moderator so Reddit could control the communities with the same name on both platforms? That’s wild.

That’s also how the corporate side of Reddit works. Someone will register a subreddit, and then a bunch of related ones, so anybody who tries to use any of them has to follow the same set of rules — and if you piss off the wrong person in one, they can ban you from all of them. They can also use their “first” or “official” or even “user count” status to bully smaller subs into redirecting to them. Effectively centralising information.

The Fediverse doesn’t work like that.

Or, more plainly:

The Fediverse doesn’t allow a single user to scoop up all of the similarly named/themed communities and use that power to dominate those topics of conversation.

Your reply:

Maybe Mastodon does not, but Lemmy, in particular lemmy.ml, works more like that than you realize. e.g. a change is soon going to give lemmy.ml veto power in what communities are allowed to be acknowledged as existing to new instances, which is baked right into the code and there is no way to change it. A third-party listing could have been used instead but… no, this is rather much more on-brand for the Lemmy developers to have chosen.

Your reply references code affecting the Lemmy server instance, that runs once on server instantiation, which uses lemmy.ml as the source to populate the list of communities that users of the new instance will see when they click the ‘Communities’ link at the top. This is true.

Your inference that lemmy.ml has the ability to veto what communities are allowed to be acknowledged as existing to new instances is a bit of hyperbole. Lemmy.ml is the source of the initial list, true.

But new instances acknowledge communities existing regardless of those community’s status with lemmy.ml. The moment that a single user reads a single comment in a community that isn’t on the initially seeded list, then it appears in the new instance’s community list regardless of the status of that community on lemmy.ml.

If we were a security researcher and were analyzing the scope of this problem we would consider that

1. This only affects new instances, so the vast population of Lemmy as it stands now, is not affected by this code at all. Only a hypothetical future population.

2. The list on lemmy.ml is not treated as authoritative. Outside of the initial values, lemmy.ml is not checked for any other functions related to adding or displaying communities

3. Any attempts by lemmy.ml to game this system are both not happening and also easily detectable as the list is public and can be compared to other instances.

So, this veto power isn’t being used. If lemmy.ml were attempting to leverage this power, it would be detectable. In the worst case, if were actively being exploited then it would affect very few people(none of the current Lemmy community), and the people that it did affect are impacted only until a user reads a comment or post from a ‘vetoed’ community.

Also, this is an open source project so saying things like:

and there is no way to change it.

Simply make no sense at all.

You can change it. Any admin who thinks it may be a problem can change it. I linked to the exact section of code where you can just change the URL and compile the .rs file again to use a different instance.

You could change it so that the URL is read from the options file that the administrator sets prior to launching the instance. You could also submit that as a PR so that future administrators could just apply your patch (independent of it being accepted by Lemmy) because that’s how open source development works. That’s what the quote that you provided means:

If you dont like it, fork it. Stop bothering us about it

• Nutomic

It sounds dismissive, because it is. This isn’t a product, you’re not a consumer. You’re going to people who donate their time and telling them to do work in a way that you want it done. They may agree, and you may be able to make good arguments to convince them but if they don’t, then brigading social media or spamming their issue tracker with requests isn’t going to get it done.

If you don’t like it fork it and fix it. It is a fundamental concept in open source software that you can always fix problems that you see and other people can use your fixes regardless of what the project thinks. If you think the project is going in the wrong direction then you are perfectly within your rights to take a copy of the code and develop it in your own way and if you can find other people who believe like you do then they can use your changes as they see fit.

But going online and misrepresenting the risk of some code update that you disagree with by exaggerating the scope of the problem isn’t how you get anything done except creating needless drama.