Yeah 100%, it’s all Docker’s fault at the end of the day

One of the .ml users down below volunteered to put in the PR later tonight if no one else has, so it sounds like both bases are covered now.

Sounds great. Thank you, it sounds like a good idea.

Seems like a genuine miss, contrary to what the comments here would have one believe,

You might be right. I looked at the history and the way it came in, and it’s not as wildly anomalous to the rest of the file when looked at in context. Maybe it’s just a mistake.

Let’s not get carried away. Shared software systems are about more than the software. If you’re looking only at the software, and that was literally 100% of what is important here and nothing else, then yes, you’re right.

But you want it fixed less than you want it publicized

100%. Yes. Correct. I also want it fixed, but that’s completely trivial, with or without the pull request.

See the edit to the post.

Would have been nice with a link from the start.

Yeah, 100%. I edited the post to add more of the details.

I mean probably I should. There are a bunch of people accusing me of being dick headed and petty and they’re not completely wrong. Honestly, I just don’t feel like helping the Lemmy devs. Dessalines, at least, is totally unapologetic about being a dickhead to people he has power over. That puts me in a mindset where, mostly, I want to talk to other people about potential harm he’s in a position to do, and not really in a mindset where I want to do even a small amount of extra work on his behalf.

I’m going to tell other people that he’s in a position to take their passwords. If he wants to see that and put himself not in that position anymore? Great, I think he should. If he gets his feelings hurt because I’m not being super friendly about it? Well… okay. I’m not trying to be malicious about it or do anything other than clearly communicate the problem. But it seems like the lemmy.ml “in charge” crew in general has a lot of a mentality that’s kind of like, “Well, I’m in charge, and you’re not, so fuck what you think and fuck your rights. Ban.” (or whatever). The way I operate is that really makes me not want to be extra friendly or courteous to people. I used to have a regular donation to Lemmy development set up, I used to take it seriously the idea of getting involved in contributing to the code, and then I observed how they operate, and … like I say I’m mostly talking to the other people involved who I think should be aware of this. If the devs want to react, fix it, or get involved in the conversation, then sure, sounds good.

The fix is in the comments below, if someone else wants to contribute it and do the very small amount of work of getting it in.

*Quixote

The live docs at:

https://join-lemmy.org/docs/administration/install_docker.html

Link to:

https://raw.githubusercontent.com/LemmyNet/lemmy-docs/main/assets/docker-compose.yml

Which is what needs to be updated.

It’s present in the link on:

https://join-lemmy.org/docs/administration/install_docker.html

Which refers people to download:

https://raw.githubusercontent.com/LemmyNet/lemmy-docs/main/assets/docker-compose.yml

What you’re linking to is not what the live docs link to. I don’t know what main/docker is for, but the docs link to main/assets, not there.

A lot of people, I think, would appreciate knowing if there’s indication that their software might be doing something sketchy to them. You might feel that my appropriate response about it should be to shut up, shut up, shut up!, but I don’t think I will. When it comes to issues of trust and security in software, it’s usually not that good an idea to just silently fix it and not talk about it so nobody’s feelings will be hurt and no one will feel bullied.

I’ve posted the patch and recommended that someone post a PR about it. I do think it would be good if it gets fixed. If the Lemmy devs claim that me being a twat is a good excuse for just leaving it as is, then like I said, that’s a super interesting turn of events.

https://github.com/LemmyNet/lemmy-docs/blob/main/assets/docker-compose.yml

Yeah, don’t they realize they could have just spent that time productively by making a pull request, instead?

The relevant repo is:

https://github.com/LemmyNet/lemmy-docs

If you wanted to submit a PR, I think that would be a good idea. I’ve posted the patch elsewhere in the comments.

--- a/docker-compose.yml	2025-07-12 00:17:33.050443300 +0000
+++ b/docker-compose.yml	2025-07-12 00:18:21.038972526 +0000
@@ -37,7 +37,7 @@
     image: dessalines/lemmy-ui:0.19.12
     environment:
       - LEMMY_UI_LEMMY_INTERNAL_HOST=lemmy:8536
-      - LEMMY_UI_LEMMY_EXTERNAL_HOST=lemmy.ml
+      - LEMMY_UI_LEMMY_EXTERNAL_HOST={{ domain }}
       - LEMMY_UI_HTTPS=true
     volumes:
       - ./volumes/lemmy-ui/extra_themes:/app/extra_themes

Edit: From https://github.com/LemmyNet/lemmy-docs/tree/main/assets

--- a/docker-compose.yml	2025-07-12 00:17:33.050443300 +0000
+++ b/docker-compose.yml	2025-07-12 00:18:21.038972526 +0000
@@ -37,7 +37,7 @@
     image: dessalines/lemmy-ui:0.19.12
     environment:
       - LEMMY_UI_LEMMY_INTERNAL_HOST=lemmy:8536
-      - LEMMY_UI_LEMMY_EXTERNAL_HOST=lemmy.ml
+      - LEMMY_UI_LEMMY_EXTERNAL_HOST={{ domain }}
       - LEMMY_UI_HTTPS=true
     volumes:
       - ./volumes/lemmy-ui/extra_themes:/app/extra_themes

Edit: Just to be clear, this applies to https://github.com/LemmyNet/lemmy-docs/tree/main/assets which is linked to from https://join-lemmy.org/docs/administration/install_docker.html

I am not typing here in the hopes that they will fix it. I am typing here to communicate to other users what’s up with it. Whether or not to fix it is up to them. You’re welcome to your opinion.

I think it would be very rare that people would put two and two together to realize that their password had been “stolen” by this event. Like I say, I have no real idea even if it is being stolen, just that it would be trivial for .ml to decide that they wanted to start keeping a little cache of everyone’s admin email addresses and passwords.

Like someone else said, if it was anyplace other than lemmy.ml, I wouldn’t give it a second thought, it would just be “whoa you gotta fix this.” I sort of agree with you that there’s not even really any strong indication that there’s anything all that bad they could do with it. It’s only because lemmy.ml moderation actions already have such a pattern of authoritarian dishonesty that I get to any degree paranoid or alarmed about it.

Within the last hour, dessalines has posted three things about communism that are longer than the fix for this issue.

Edit: Everyone’s got the right to do whatever they want to do. I’m not trying to accuse anyone of not spending enough time making software for me, just because occasionally they might want to do some other things with their life. The thing I’m trying to emphasize with this is how short the fix is. It’s seconds. It’s not one of those “but you have to recompile, what about this other branch” or anything like that. It’s literally a fairly critical security fix with 100% of the fix in a one-line change to a documentation file.