I think there are two separate things I want to address here:

First, agile isn’t a project management methodology, it’s just a set of 4 abstract priorities and 12 abstract principles. It’s very short, you can check it out here:

https://agilemanifesto.org/

Nothing here says that you’re not allowed to write documentation, write down requirements, etc. In fact, the principles encourage you yourself as a software team to create the exact processes and documentation that you need in order to meet your goals.

“Working software over comprehensive documentation” does not mean you aren’t allowed to have documentation, it just means that you should only write documentation if it helps you build working software, rather than writing documentation for the sake of bureaucracy.

“Individuals and interactions over processes and tools” does not mean that you should have no processes, it just means that the individuals in your team should be empowered to collaboratively create whatever processes you need to deliver good software.

Secondly, in terms of practical advice:

1. Talk about this problem with your team. Is it hard for others to figure out where requirements came from? Maybe they already have a good method and can share it with you. If it’s hard for everybody, then propose improvements to your process, for example, propose some type of design document process as part of building any new features
2. There are no perfect answers to the question of “how do I safely make non-trivial changes to systems”, but the general approach is to ensure that:

a. You have metrics about how your system is used.

b. You have automated tests covering any requirements, so that you can feel confident when making changes to one part of the system that it isn’t violating any unrelated requirements.

c. You actually document any confusing parts in the code itself using comments. The most important thing to cover in comments is “why is this logic necessary?” - whenever something is confusing, you need to answer this question with a comment. Otherwise, the system becomes very annoying to change later on.

If you are missing any of the above, then propose to your team that you start doing it ASAP

3. At the end of the day, somebody is responsible for making product decisions. Is it your team? Or maybe some separate product owner? Sometimes, you just need to communicate with whoever is responsible to figure out if any requirements are still relevant, or if they are now safe to change.

On 0.19.3, you can:

1. Limit the file upload size for local users through nginx configuration
2. Disable incoming federated images through Lemmy configuration: https://github.com/LemmyNet/lemmy/blob/main/config/defaults.hjson#L49 (set this to false)

If I have several backends that more or less depend on each other anyway (for example: Lemmy + pict-rs), then I will create separate databases for them within a single postgres - reason being, if something bad happens to the database for one of them, then it affects the other one as well anyway, so there isn’t much to gain from isolating the databases.

Conversely, for completely unrelated services, I will always set up separate postgres instances, for full isolation.

Interesting project! Can you explain the vision a bit more - I understand that every instance can have their own version of an article, but how would a user know which version of an article is most relevant to them to read (and maybe even contribute to)?

Sorry if you were just making a joke, my sarcasm detector is not really working anymore (/s at the end would help). But if not, this comment really perfectly captures the entitlement in open source.

Now imagine you spend months (or even years) of your free time to build something for people to use freely, and the result is that you get endless comments from random strangers, telling you that you work for them and that you need to respect and be grateful to them. I honestly am impressed that open source still exists at all at this point.

I just want to add a counter-point to the argument that Lemmy devs are somehow opposed to contributions. In my experience, there has been no resistance to contributing any type of change (I have personally added niche features for running Lemmy in a distributed manner, optimizations, bug fixes, etc). In fact I would claim the complete opposite - I have received plenty of support and good code reviews from maintainers whenever I have wanted to contribute anything.

I think there is truth to the claim that Lemmy maintainers don’t have a lot of patience for people making demands and snarky comments, but that is very different from being opposed to contributions. Also, after running a big instance for a while now, I completely understand this lack of patience - when some of your users just keep being rude to you, it wears down your patience. It’s easy to patiently and kindly respond to the first 100 rude users, but at some point after that, it just becomes gradually more mentally exhausting, to the point where it’s basically impossible.

Even the example provided in the blog post: I don’t think snowe had bad intentions, but I do think they had clearly misinterpreted the situation with that issue, and their comments were needlessly condescending.

On Lemmy 0.19.3, reports go to:

• Community mods
• Admins of the instance where the community is hosted
• Admins of the instance of the reported user
• Admins of the instance of the reporter

They specifically called it “child abuse content”, not “child abuse”. This seems perfectly valid, no?

By the way, just because these are digital renderings does not mean that there is no harm. Seeing such content can still be harmful to past victims. Just try to put yourself in this situation: imagine just playing some video game online, and suddenly being exposed to people recreating traumatic experiences from your past. Not only that - you also discover that the creators of the video game are involved & actively enabling such content. Seems completely messed up to me.

That particular instance was very recently the source of a lot of CSAM and spam, so that’d be why. A lot of instances recently upped their security to combat that.

Just to add some more context, there was an attacker recently who created accounts on several Lemmy instances and used those accounts to spread CSAM. On lemm.ee, this attacker created 4 accounts over a 24h period, but was not able to upload any CSAM to our servers due to our stricter upload rules (we require 4 week old accounts to upload any images at all), and all of the 4 accounts were removed very shortly after creation (most of them within an hour of signing up). The attacker gave up trying to use lemm.ee very quickly, and moved on to other instances.

I just wanted to share this context to illustrate that while indeed the different measures we implement to protect the instance can have a negative impact on legitimate users, I really believe that overall, they have a net positive effect. In addition to Cloudflare DDoS protection and image upload restrictions, we also have a separate content-based alerting layer on top of Lemmy, which allows our admins to quickly notice when something suspicious is going on. As another example, this alerting has allowed us to extremely efficiently deal with a current ongoing spam attack on the Fediverse, and I bet many lemm.ee users aren’t even aware of this attack due to the quick content removal. We will continue to improve our defenses, and hopefully try to limit the impact on real users as much as possible, but some trade-offs are necessary here in order to protect the overall userbase.

The nice thing about Lemmy is that you can always host your own instance, even if it’s only for your own individual use. You can basically use your own instance as a proxy - other instances will not see how or from where you are connecting to your instance.

Large instances are being attacked almost constantly at this point in smaller and bigger ways. Almost all measures we implement to combat these attacks come with some trade-offs for the rest of the userbase.

Did the upgrade solve it for you?

What exactly is the issue with our admins? If you feel you’ve received some unjustified moderation, feel free to contact me and I can have a look.

I’ve played the first two hours on PS Plus and it’s excellent so far. I’m actually considering purchasing it separately on Steam just so I can play it on the Steam Deck as well 👀

As a test, I ran this on a very early backup of lemm.ee images from when we had very little federation and very little uploads, and unfortunately it is finding a whole bunch of false positives. Just some examples it flagged as CSAM:

• Calvin and Hobbes comic
• The default Lemmy logo
• Some random user’s avatar, which is just a digital drawing of a person’s face
• a Pikachu image

Do you think the parameters of the script should be tuned? I’m happy to test it further on my backup, as I am reasonably certain that it doesn’t contain any actual CSAM

Any thoughts about using this as a middleware between nginx and Lemmy for all image uploads?

Edit: I guess that wouldn’t work for external images - unless it also ran for all outgoing requests from pict-rs… I think the easiest way to integrate this with pict-rs would be through some upstream changes that would allow pict-rs itself to call this code on every image.

This approach makes so much sense from a business perspective.

How many here have this experience: out of my entire friend group that I grew up playing video games with, I can’t think of a single person who kept pirating games after acquiring disposable income, even though we all exclusively played pirated games as teenagers. Without piracy, none of us would have had access to any games, and very likely none of us would still be into gaming today, spending probably thousands of euros every year on games, consoles, PC components, etc.

You are correct, this is one of several security issues with the current 2fa implementation.

I started working on an improved version of 2fa for Lemmy last week. Unfortunately, I’ve been very busy for the past few days with some other stuff, but I’m hoping to get a PR up this weekend.

Damn, even $11.99 sounds like a lot - I only pay 12.99€ for a family plan in Europe.

Nice work!

I already made a proposal to improve the default theme, but my issue was closed without any response from the developers.

You’re misinterpreting what happened there - the issue was not closed to shut it down, it was actually converted into a discussion to make it easier to track: https://github.com/LemmyNet/lemmy-ui/discussions/1503

It wasn’t exactly one specific issue that could be fixed, it was a longer discussion with a bunch of branches. For such things, the discussions format is much more usable.

So it seems that UI is not a priority to Lemmy developers.

I just want to point out that there has been a massive amount of UI improvements in 0.18 and 0.18.1 (just take a look at all the changes by @jsit for example: https://github.com/LemmyNet/lemmy-ui/pulls?q=is%3Apr+author%3Ajsit+). In addition, new themes are being created directly for the lemmy-ui repo as well, for example: https://github.com/LemmyNet/lemmy-ui/pull/1682