So if you do the Docker setup, obeying the instructions and substituting everything that needs to get substituted, but don’t proofread the files in detail and so miss that line 40 of docker-compose.yml doesn’t have the variable {{domain}} like in every other location you need to write your domain, but instead just says LEMMY_UI_LEMMY_EXTERNAL_HOST=lemmy.ml and so you fail to change it away from lemmy.ml… then, everything will work, until you type in your admin password for the first time, at which point your browser will send a request to lemmy.ml which includes your admin username, your email address, and the admin password you’re trying to set. And, also, of course your IP address wherever you are sitting and setting up the server.

I have no reason at all to think the Lemmy devs have set their server up to log this information when it comes in. nginx will throw it away by default, of course, but it would be easy for them to have it save it instead, if they wanted to. And my guess is most people won’t use a different admin password once they figure out why creating their admin user isn’t working and fix it.

@[email protected] @[email protected] I think you should fix the docker-compose.yml file not to do this.

Edit: Just to increase the information-to-rudeness ratio of my post. The docs are at:

https://join-lemmy.org/docs/administration/install_docker.html

And they recommend using wget to download:

https://raw.githubusercontent.com/LemmyNet/lemmy-docs/main/assets/docker-compose.yml

Which is pulled from:

https://github.com/LemmyNet/lemmy-docs/tree/main/assets

Which is what has the wrong line 40 in it.

Edit: They fixed it. Good stuff.

  • percent@infosec.pub
    2512·
    18 hours ago

    It sounds like a pull request would have been much more helpful, with much less effort. But you want it fixed less than you want it publicized, so you chose this option (even though you could have done both).

    In other words, you cared less about the people impacted by this problem, and more about your own opportunity to put the author(s) on blast like this.

    And you care about that opportunity so much, that it’s even worth it to show this dark side of yourself publicly.

    Am I understanding that right?

    • BassTurd@lemmy.world
      223·
      17 hours ago

      Or OP is spreading the word to get it out there. Now it’s got eyes on it thanks to OPs work.

      Jesus. Some of you people just want to shit on someone for doing a good thing for no reason. Have you put in a pull request yet or are you just showing your dark side on top of being a dick to OP who did something good?

      • ZombiFrancis@sh.itjust.works
        31·
        6 hours ago

        There’s been a multiyear crusade to oust .ml from the Fediverse with demands that the developers relinquish their instance servers to a third party and/or stop developing Lemmy altogether. That’s not an irrelevant context here given it is usually the same routine players.

        • PhilipTheBucket@ponder.catOP
          31·
          6 hours ago

          I don’t think .ml should be ousted. I think they should stop being dickheads. It’s a little tangential to this particular post (mostly only relevant in that it makes people suspicious of their motives when otherwise they would not be.)

      • PhilipTheBucket@ponder.catOP
        92·
        17 hours ago

        One of the .ml users down below volunteered to put in the PR later tonight if no one else has, so it sounds like both bases are covered now.

      • percent@infosec.pub
        64·
        17 hours ago

        They could have done both.

        If it’s not fixed by Monday, I will consider starting the approval process from the legal department that requires it from me.

        I wish I had the freedom to just open a PR anywhere anytime, but I don’t.

    • PhilipTheBucket@ponder.catOP
      123·
      17 hours ago

      Let’s not get carried away. Shared software systems are about more than the software. If you’re looking only at the software, and that was literally 100% of what is important here and nothing else, then yes, you’re right.

      But you want it fixed less than you want it publicized

      100%. Yes. Correct. I also want it fixed, but that’s completely trivial, with or without the pull request.

      • irishPotato@sh.itjust.works
        91·
        13 hours ago

        I think there you hit the nail on the head! Just the fact that it is in there, whether intentionally or not is something that warrants warning people about. So that in the case someone goes to set up a server, they at least know that recently there was this rather severe risk of unnecessary credential exposure, again no matter if it was intentional or not.

        However, I will say that I think I would have also opened the PR, not to help the original dev necessarily, but helping those that might come to use the software later.