This is VERY bad news for users of small instances like myself.
I do understand the reasoning behind it, and I'm not sure there is a good alternative. But it sure feels a bit like a deja vu from the self hosted email days ...
for admins who might want to keep an eye on this one particular scraper, as useful as it is, the tokens are created with app name #FediBuzz and app website https://fedi.buzz/. (Mastodon autolinking is mangling the URL there, but it's the whole URL from https:// to trailing /).
note that they don't have to be. FediBuzz could just as easily pretend to be Toot! or Tusky or Pinafore. but it is currently politely identifying itself in a normal way.
I have a friend that died in June 2022, months after setting his instance over Musk in April 2022. He is the only admin for the instance of 14 users and it is still going. I'm not sure how it is still going. Luckily, it is on Masto Host and they do upgrades & it is set to auto approve new registrations, already. Maybe some linked payment account the family doesn't know about and when it dries up the domain will go stale.
Just throwing this out there: For my free lancing I often need to share passwords or other secrets with clients. (Or they with me.)
I usually suggest Signal for that, but obviously most people don't have that.
Is there a a good (and not too pricey - I only do very few free lance projects, so only need it once every few months) password sharing option for this?
I tried 1Password shared vaults, but even that is just too complex for many of my clients.
Open to self hosted ideas, as I have a server I could install this on.
Ideally a very simple thing where both my clients can securely input passwords to share with me without having to create an account (secret link and OTP, or something like that) and I can share links with clients.
@michael well there a tools like https://pwpush.com/ which you can (and should) host yourself. here the customer could create a secret and phone you the password to access it.
The reason I'm suggesting this, is because if you are a small/medium instance with open registrations, and spammers find and abuse your instance, I imagine that other instances will limit/suspend your instance without hesitation, given how willing some were to limit/suspend the much larger mastodon.social.
But do note this comment on the PR:
“To give some context to people seeing this: this is an emergency feature backport from Glitch SOC to help mitigating an ongoing spam wave, this feature may not make it in a next release, or with significative changes.”
Edited to add: multiple people have rightly commented on the accessibility concerns with hCaptcha: hCaptcha is really really really bad for blind and visually impaired people.
Please have a look at this excellent reply for more details:
@michael "You may wish to consider implementing hCAPTCHA yourself to protect your own instance,"
Please note that if you do this, it will prevent many blind people from signing up onto your instance. hCAPTCHA does not have an audio version; instead, if you cannot complete the visual version for whatever reason, you have to give them your email (!), so they can send you a link to a site for setting an accessibility cookie.
This cookie frequently does not work at all. It has a time limit before you can set it again, so if it fails to set, or if you close the browser and have automatic deletion of cookies enabled, as you should, you'll just have to wait. And of course, it only works within browsers, not applications; Discord is an excelent example of a non-passable captcha.
Enabling application signups is a much more accessible way of avoiding spam. If this is something the admin team cannot handle, it is time for going invite-only.
@michael Please, please do not do this under any circumstance, if you care about your instance being accessible to the #blind and visually impaired (hint, you should).
#HCaptcha is a horrible example of how not to implement a #captcha solution, forcing people to register their email address and store a cookie, as well as disable cross origin restrictions on their devices in order to pass validation.
There are much better alternatives, such as the no-hassle https://github.com/mCaptcha/mCaptcha, which does not need any user input other than checking a checkbox. Alternatively, use captchas that provide text versions, e.g. via solving a math question or at the very minimum, provide an audio version, knowing that it is not ideal for the hearing impaired.
@michael one thing i don't like about Mastodon's search that i hadn't gotten around to fixing is that it treats search terms as optional unless they're prefixed by a +.
this interacts badly with both the date-based sorting for post results and the function-based sorting for account results, and imo, i'd rather get no results for a multi-term search than results that only contain some of the terms.
try applying this:
diff --git a/app/lib/search_query_transformer.rb b/app/lib/search_query_transformer.rb
index 8f9d1c75d..d004eb523 100644
--- a/app/lib/search_query_transformer.rb
+++ b/app/lib/search_query_transformer.rb
@@ -159,7 +159,7 @@ class SearchQueryTransformer < Parslet::Transform
when '-'
:must_not
when nil
- :should
+ :must
else
raise Mastodon::SyntaxError, "Unknown operator: #{str}"
end
@michael it's kinda heavyweight for what it does, has had a dubious privacy story since day 1, and it's written in a language i'm not a huge fan of, with very few comments.
GtS has great comments and docs, and while i'm not a huge fan of Go either (Rust is the closest language to my heart right now), i find it much more predictable than Ruby. i think GtS will be a better long-term platform for Fedi development. also, the dev team is awesome.
“The fediverse is a privacy nightmare” - A lot of good thoughts by @Bloonface
Whilst the headline may be inflammatory, the thrust of the article stands: That as soon as you publish anything on the fediverse it'll get copied to 10’s of 1,000's of servers, and is then completely and irrevocably out of your control.
Some may argue that's a feature rather than a bug (and I'd be tempted to agree to a large extent), but I wonder what proportion of the fediverse is aware - let alone understand the implications - of it.
I'm super happy to announce the release of #FediFetcher v6.0.0.
The headline feature is that FediFetcher now supports pulling in context and missing posts from #Lemmy servers! Thank you so much, @teq for your hard work.
Over the last few days I'm getting a lot of errors in my Mastodon UI.
In my web server logs I get this error a lot:
ActiveRecord::ConnectionTimeoutError (could not obtain a connection from the pool within 5.000 seconds (waited 5.000 seconds); all pooled connections were in use)
I just checked, and it appears that only about 1% of all 300k Mastodon users that my instance knows about currently have opted into full text search 😢
Really hoping that number will increase!
Also, does anyone know how Mastodon indexes users from non-Mastodon fediverse servers? These presumably don't have the indexable flag set. I hope Mastodon still indexes those, given that pretty much all other Fediverse software indexes all users?!
(edit: been asked a few times how i got those numbers: Two simple SQL queries: select count(*) from accounts; followed by select count(*) from accounts where indexable = true;)
@michael did another check. went up to 3%, still not huge. a shame. I do not think 97% people are against it, they probably do not realize this is something that can be turned on.
@michael I don't think you're missing anything: the formula for calculating colour contrast doesn't always reflect the way we perceive colour.
I'm not an expert (at all!) on this, but I know that the W3C plans to revise the formulas and guidelines for colour in #WCAG 3.
The new version will analyze "perceptual" contrast instead of just "luminance". And it will account for the "polarity" effect of light text on dark backgrounds.
I've noticed a lot of chatter about setting up Elasticsearch for Mastodon 4.2's new full text search over the last few days, including what hardware is required, how difficult is it, etc.
So I thought I’d write down my experience, including the hardware I'm running Elasticsearch on for my single user instance:
@michael well, I'd need to beef up the server a little bit, and it such case I'd rather follow your approach of having 2 servers.
I think the real question in my mind is about what the value of having the full text search is in the first place... I am feeling like if I could get it for free, I'd be happy to take it, but as soon as it starts costing money, I struggle to justify it.... hashtags work too well.
@kikobar yep, I agree with your comment about the value of search.
This also isn’t helped by the fact that only a tiny minority of accounts are currently opted into search.
One of my main uses of search for example is to search for blog post urls, to see what others are saying about it. But I’ll still be very likely to miss 99% of the conversation.
So, yeah, it’s borderline for sure. Though you could easily patch your instance to included opted-out users in search, but that won’t make you popular 😁
Wondering if Mastodon GmbH filed a trademark complaint?
Also highlights one problem with Mastodon: you cannot change the domain name of an instance. If the problem (whatever it is) isn't resolved, the instance is gone forever.
Registrars have to immediately takedown domains on request from a competent authority. Usually police or courts to stop illegal activity.
Trademark complaint is a civil matter. Little to be lost referring a complaint and evaluating a response.
Worrying factor here is the xyz registry not informing the domain holder immediately so a mistake can be quickly cleared up. But 48 hours - are they serious for something so serious.
Or perhaps the warning email was on the same domain. Oops!
It looks like we know why mastodon.xyz was suspended: It was because there was CSAM found, and not dealt with in a timely manner.
They had apparently ‘received several reports via Mastodon over the past few days for this same account, which[they] had not yet dealt with’.
I don’t think that's good enough, to be honest. I appreciate that a single person cannot deal with everything within minutes. But that's why you have multiple mods. An instance of that size (2.5k active users) cannot have just a single mod, especially if that mod feels comfortable leaving 'several’ CSAM reports for a 'few days’.
Also rather disappointed with the registry white listing the domain, to be honest: If the mod is unable to deal with CSAM in a timely manner, then imo that's exactly why both the registry and the hosting provider have their procedures.
For #FediFetcher I'd like to use the ActivityPub API, rather than the Mastodon API to pull replies.
For example: At the moment I'm using the api/v1/timelines/home endpoint to get all statuses in my timeline. I then attempt to get replies from the remote servers.
But the uri that mastodon returns in that response is to the Mastodon API endpoint. This is annoying, because obviously Mastodon != Fediverse, and I'd love to just go to ActivityPub, rather than implement each software separately.
Is it possible to somehow get ActivityPub endpoints for those statuses?
The more I’m trying to learn Arabic the more I’m becoming convinced that whoever came up with that script, did so with the express intention to mock learners.
How else can you explain that ج ح and خ all make very different sounds, whilst the sounds for ث and ط are essentially indistinguishable 🙄
@skribe Many different written systems as well. For example in Egypt you have at least the following:
Religious/old Arabic as used in both mosque and Church settings (I don't even know whether these are both using the same language, but I doubt it)
Formal Arabic as used in the news, courts, etc.
Informal Arabic as used in every day settings (and which of course has lots of different dialects - Egypt is large country [though maybe not so large when compared to Australia 😆]).
Each of these have their own grammar and vocabulary. And there'll definitely be people in Egypt who’ll only be able to understand 1 or 2 of these (especially because illeteracy is actually still quite common, so lots of Egyptians really only know informal Arabic).