I don't know what this xz thing is about, first time hearing it. But people saying he should get more help are trying to help him, not having malicious plans like installing backdoors or whatever.
I do think people should ask less for more maintainers — the project is already opensource, so it's up to maintainers to join, not him to seek them out. But he should still get some help with managing the instance. Pauses in development are fine imo, but the instance shouldn't be swarmed with spam and account deletion requests lost in limbo just because ernest got sick or something, which can happen with the best work life balances.
I don't know what this xz thing is about, first time hearing it.
Someone pressured the maintainer of a compression tool used in a bunch of open source software to hand over the keys by citing burnout and offering to "help" then spent ~3 years slowly adding tiny changes that combined to form a backdoor in SSH that nearly compromised the entire internet or something.
It was only barely caught by accident because it made some thing some guy was doing that wasn't even related a fraction of a second slower.
Been all over the FOSSiverse for days, and the social engineering that was used on the xz maintainer reminded me personally of similar pressure certain people have applied to Ernest in most threads about kbin performance I have seen.
The reason it worked is because sometimes burnout is a real problem, and getting extra help is a real solution. The fact that this was exploited in one situation doesn't mean that all of a sudden there isn't any real burnout or genuine offers to help any more.
A project can sometimes benefit from help even if there is no burnout. People have limits.
I mean, he’s developing and administrating what’s essentially a Reddit clone all on his own.
And doing a damn fine job.
The question was if you saw similarity in the pressure to add maintainers to the project with the social engineering that lead to xz getting backdoored.
I’m not going to pick through his last year’s posts and make a diagnosis, but if you’ve seen no evidence of that, I think you’re wilfully ignoring the signs.
I’m not going to pick through his last year’s posts and make a diagnosis, but if you’ve seen no evidence of that, I think you’re wilfully ignoring the signs.
Ok, I'll continue "ignoring" evidence you can't even describe ("He talked somewhere about..."), much less cite.
For all we know his frequent absence is down to a great work-life balance on his part.
Irrespective this thread is not about who is or is not burnt out, it's about how posts like your are what enabled the xz backdoor to happen.
Irrespective this thread is not about who is or is not burnt out, it's about how posts like your are what enabled the xz backdoor to happen.
I thin you need to chill a bit. Open source has a long illustrious history of people cooperating to build software and submit patches and enhancements which are then scrutinized by project leads. Yes, occasionally bad actors use this model to try and slip through exploits, but you don't throw out one of the strengths of open source because of that. You make sure mechanisms are in palce to allow robust scrutiny.
And no, I'm absolutely not going go through someone's post history and quote bits that show someone is frazzled. I expect you to have enough empathy
I used it as a support to my argument, so, it’s relevant. No evidence, you say… I don’t want to talk too much about someone’s health issue. Just believe what you believe. I don’t think you can change your view through online discussion.
No, he's not. Kbin was recently down for a week. Then voting and comment counts broke. Before all that I had to get into the habit of reloading the page I was on every time I wanted to vote on something. It's a terrible user experience.
That's not to say I don't like him or he's not a good dev or whatever. Just that people have limits and it sure seems like he's bumping against his.
I didn't say anything about burning out. A job can be too big or difficult for a person without them burning out.
Ultimately, it's just a question of results. If kbin.social is working poorly but other alternatives are doing good, I move on. That works well in the Fediverse especially, as evidenced that I am commenting from fedia.io.
Likewise I also moved on from Kbin. Obviously we have no power over that project, that belongs solely to the person who created it, but we do control our own actions. e.g. I used to sing the praises of the Fediverse and go out of my way to not equate it with Lemmy - always saying like Lemmy/Kbin. Now I still do the former but I actively tell people that Kbin might not be a good match for them. Ernest has kept it as alpha version software - which is fine, there is a need for such things, and it will become great, someday… hopefully. But today is not that day, and that is super good for people to know, e.g. that they don’t have to leave the Fediverse entirely to get a more functional experience, just Kbin.social.
fedia.io is running mbin, which is a fork of kbin. It seems to be doing well, so you could switch to Lemmy/mbin if you don't want to include kbin any more but still want to show alternate clients are possible.
Thank you for the suggestion. So far I’ve just taken to saying “Fediverse”, perhaps I’m holding out hope for still more clients in the future:-)? Also it’s shorter than Lemmy/Kbin/Mbin:-).
Exactly! More and more products can be added - like now we are hearing about Fedi-wikis (from the original Lemmy developer iirc), and ofc there will be Threads (whether we dread it or not!), so the Fediverse (iirc, defined basically as anything that uses the ActivityPub protocol?) is growing up, spurred onwards by the ongoing demise of Reddit even if started long before. :-)
Kbin/Mbin is still the only platform(s) to try to bridge the two.
Moreover it seems to have better discoverability than mastodon Mastodon. I can type a word or phrase in the search bar on kbin and find "Mastodon" posts whereas I'm stuck viewing whatever is timeline trending on Mastodon proper unless I follow someone or can figure out whatever hashtag person might have affixed to their post.
Even with kbin being down a good 1/5 of the time it remains the best ActivityPub viewing experience (in my).
He is doing an excellent job, and I do not mean to denigrate his work when I say the task is beyond any one person, no matter how talented and dedicated. Look at the issues that went on recently while Ernest was indisposed, and we had months of federation issues that led to communities migrating away and Kbin.social getting defederated by other instances.
This project is getting too large for any one person, and it’s far too important to have one point of failure. And even someone as great as Ernest needs an understudy.
The existence of one bad actor doesn’t make the principle any less true.
Kbin has long since surpassed what Ernest is capable of handling by himself. Either he’s going to have to learn to delegate, or it’s going to collapse under its own weight.
I realize that a magazine I made isn't available through lemmy.world and lemmy.ml and some communities from there aren't available here. Does someone know why?
Normally if nobody from an instance has subscribed it doesn't show up in searches from that instance. You have to manually type the exact url and subscribe that way. Once one person has done it, it will show up.
To newly federate a magazine with Lemmy, search for it using the syntax !Polytopia@kbin.social in Lemmy's built-in search. This worked for me instantly when I just tested it on lemm.ee, after confirming that it 404s before doing it.
for a magazine to show up on lemmy, a logged-in user needs to visit it first. afterwards, to ensure that new content is published to lemmy instances, someone from that instance needs to subscribe to the magazine. this needs to happen on every instance as far as i know. this is one of the reasons services like lemmy-federate.com or browse.feddit.de exist.
I have now been banned from cat@lemmy.world :( I haven't attempted to post or comment today anywhere except now. I've only liked posts today, so that narrows down the actions required to trigger the problem. I liked 4 posts over the last 24 hours in that community.
Hope that helps someone narrow down replication steps for the problem.
I am definitely not qualified for instance level moderation, but may be for a magazine. Is that part of what you are looking for? I did put a request in for one a ways back, but perhaps am not qualified for that, either. It would be a good step i think. But I don't know. I can go thru the abandoned list again.
@ernest thank you for the update and everything. Its great to hear your personal matter is kinda sorted.
I already have the moderation of several magazines so I won't be able to contribute to that more, I think.
I am a little bit familiar with bug reporting, not in github tho. So I just created a github account and a codeberg to try and contribute. Of course I will have to spend time checking out the existing ones and familiarizing myself with the platforms. I say all this because if you or any of the active devs, have test cases or a specific area that you would like to check first or anything relevant, I would gladly do my best to help on demand.
"This week, I also refreshed the project's code, and it seems like I'm slowly getting back on track regarding health matters."
I am glad you are getting better.
I will have to have a look into helping with moderation though I take it site moderation is at the instance level unless you mean for magazines?
kbinMeta
Newest
This magazine is from a federated server and may be incomplete. Browse more on the original instance.