Until I implement a better system to screen out spammers, I will be closing registrations on Fedia.io. That’s not what I want - I’d like for it to be available for legitimate accounts, but the spam is off the hook....
I know it's not ideal, but I fully understand the whole situation. Let's focus on making Mbin better for the existing users who are now experiencing CSRF or log-out problems. Hopefully after that, we can focus on improving anti-spam (since hcaptcha is not preventing any spam accounts for some unknown reason).
Maybe even considering additional an optional question? With only 1 correct answer. Or maybe even enforce 2FA.. I dunno.. But spam is getting out of control. Coincidence due to the rise of LLMs? Who knows. But anti-spam like hCaptcha, even set to "difficult" doesn't seem to cut it anymore...
Hi all. I've been having some problems keeping fedia.io running - at the moment, either the message workers or the php web server processes are dying after an hour or so and I have to restart everything. I have been working with the mbin team and installed some updates that we hoped would fix the problems, but no luck. I am...
We need server error logs. So when such a problem happens. And you can fully replicate the issue. I hope you can test it with @jerry and see if there is some error log at the server side happening as well.
That allows us (developers) to find hopefully the root-cause of this issue. If it's still present.
We can definitively use more developers. We are currently with only two: me and bentigorlich (recently debounced left as well as e-five). I also didn't use Symfony (the PHP framework behind it), but I now also got those skills in place.. So no worries, we are happy to help you. You can join us at Matrix, so it's easier to chat and discuss: Mbin Matrix space. I hope to see you there!
For now try Firefox or a fork: Floorp, LibreWolf, etc. I heard that works better.. I know this isn't the solution, but that is the best workaround atm.
If you want to know.. We did try to clean-up all those errors/warnings from the log and fix some of the issues in the main branch: https://github.com/MbinOrg/mbin/commits/main/.. We are not there yet obviously. But 1.7.x is now focusing on making Mbin more stable. @BentiGorlich is helping out as well here.
I really hope it's not a session issue with Valkey or something (I don't think so..). We are now just going deep into this issue I think. Both sessions & csrf. Since I notice already some weird config issues with csrf forms
The tokens used for CSRF protection are meant to be different for every user and they are stored in the session. That's why a session is started automatically as soon as you render a form with CSRF protection.
Moreover, this means that you cannot fully cache pages that include CSRF protected forms. As an alternative, you can:
Embed the form inside an uncached ESI fragment and cache the rest of the page contents;
Cache the entire page and load the form via an uncached AJAX request;
Cache the entire page and use hinclude.js to load the CSRF token with an uncached AJAX request and replace the form field value with it.
Or remove.. CSRF protection and keep the cache.. It's a trade-off.. @jerry How much protection does CSRF on these forms really gives the user? I'm "just" the software engineer, you are the SecOps expert here... I mean how likely is it really that sites are doing a Cross-Site Request Forgery ...
Thanks. I see. I do see the importance for login & logout forms having CSRF. But it does seems a bit overkill to have it on upvotes, boost and alike.. I could be wrong.
Could you join the conversation here? https://github.com/MbinOrg/mbin/pull/1130. We really are trying hard to debug this issue. Both CSRF form issue as well as log out issue.
I'm not sure what goes wrong, assuming kbin.social didn't block fedia, then I suspect some kind of issue at fedia.io. I believe we need to debug this issue on the server-side. Hopefully @jerry can have a look at his logs when trying to execute the search query above and maybe find the root-cause that way.
I appreciate that earnest made a post yesterday, or maybe it was the day before, saying that he is not dead and hasn't given up on kbin. It's not on this magazine, so I'm not sure where it was since this seems to be the most appropriate one, but in any case....
I asked Ernest 1 year ago about delegating and empower the software developers, but that didn't happen and will never happen. That was the reason to create Mbin.
It is good to really see your true nature now. I'm also think the fork is the best thing that could have happened for the community. It's a pity that you never started a conversation, but instead you still try to do mean things like this.
I know your approach on PRs. Hence the main reason of the fork. The community does believe in their people and the good in mankind. Only 1 approval is required from another maintainer for now. We are using C4 way of working.
Well I don't have a bad opinion about him (those are your assumptions), we just didn't agree on how a community project would/can work.
If however he did introduce intentionally a bug in kbin, just because of Mbin that's downright childish. The Mbin community does try to test all the incoming PRs (not just kbin sync PRs) on various instances apart from unit-tests, etc. We just do not want to depend on a single maintainer, hence a different way of working in the project.
He saying Mbin can't handle the kbin changes that is just not true (Odpowiedź: nie radzą sobie), at least we try to keep in sync (eg. for API comparability for upcoming mobile clients). But I'll leave it this, I'm not going to waste any more energy. I hope you understand.
We do have code reviews in GitHub and discussions on Matrix. We updated the README that reflect our latest way of working. As stated in the comment section we are also working on it in PR: https://github.com/MbinOrg/mbin/pull/34. Feel free to comment on that.
That is correct, we do not have an "official" instance or an "official" magazine. What follows now is MY OWN opinion, other community members might think differently.
Mbin is aiming for a federated and decentralized social network, I think the whole point of the fediverse is that there shouldn't be one main instance, right? Feel free to create a magazine where ever you want! Isn't that the beauty of activitypub? Maybe the idea takes some getting used to.
Despite the fork. I hope we can learn from each other indeed. That will only benefit both of us.
Although we merge into main it's not a release, we use GitHub/Docker tags to mark releases. And use semantic versioning if needed for minor and patch releases.
I feel a bit of negativity from you. This will be my last reply in this thread. She has resolved it herself by creating a magazine by herself on Mbin for Mbin: https://kbin.run/m/Mdev
First, I want to thank those who pointed me to mbin. I spent about 14 hours today with help from the mbin team on and off and found/fixed many problems....
Glad I could help! I wasn't aware either you were giving up hope.
Since Mbin is community-focused I really hope this will result in a better connection, collaboration and both bug fixes and new features what the users and the admins wants. Again, Mbin isn't about me, I forked it because I want to create a community build on trust giving back the control to the developers and users. You now also have GitHub owner rights on the organization as you know. We are all maintainers!
Officially not.. but the development slowed down too much and was too restricted by Ernest. I wanted to avoid a fork. But I didn't saw any good alternative.
I don't know what is happening with Ernest, he said there were families issues. He did respond to me on October 3 for the last time. However, developers were NOT allowed to merge pull requests from others. He stopped developers from merging code. He couldn't let it go, which is a problem if you are not in for weeks or sometimes months. The issue was that development become to a halt, contributors were no longer motivated! I tried to discuss this topic with Ernest multiple times now, without any answers. At some point it was the final straw. I forked the project and introduce a C4 Wow based on trust, allowing dozens of people to have owner rights and giving back the control to the developers, contributors and users or admins.
Moving to GitHub was only done because Codeberg was down too often in the past year. Which was very frustrating when you want to work together with people. So I also moved to GitHub with GitHub Actions during the forking.
I was also trying to prevent a fork, but I didn't saw any way out. Hence the fork by the community, for the community. I hope so as well, the idea is that we work as a real team and active contributors have GitHub owner rights. We peer-review each other code and are allowed to merge pull requests. There is no single maintainer, we are all maintainers.
Today, a technical server malfunction occurred. Unfortunately, it wasn't the planned update yet. The upcoming one will definitely be much shorter ;)...
This week (at the latest at the beginning of next week), there will be a several-hour technical break. A banner with detailed information about this will appear 24 hours before the planned work....
API is part of the kbin code base (on latest develop branch). For example https://kbin.melroy.org also have API enabled. But kbin.social is still not upgraded until this day.
Error when voting (fedia.io)
I tried to upvote this comment:...
Closing registrations in Fedia.io due to spammers (fedia.io)
Until I implement a better system to screen out spammers, I will be closing registrations on Fedia.io. That’s not what I want - I’d like for it to be available for legitimate accounts, but the spam is off the hook....
Fedia.io instability (fedia.io)
Hi all. I've been having some problems keeping fedia.io running - at the moment, either the message workers or the php web server processes are dying after an hour or so and I have to restart everything. I have been working with the mbin team and installed some updates that we hoped would fix the problems, but no luck. I am...
What are my options when a community/ magazine doesn’t exist on fedia.io? (fedia.io)
This is something that could go in the FAQ. If the answer is to post to a community on another instance, I never figured out how to do that....
Ernest needs to quickly delegate or this instance will quickly die (kbin.social)
I appreciate that earnest made a post yesterday, or maybe it was the day before, saying that he is not dead and hasn't given up on kbin. It's not on this magazine, so I'm not sure where it was since this seems to be the most appropriate one, but in any case....
Mbin: A kbin fork that promises to never review PRs before merging them (kbin.social)
Somebody who was previously active on the kbin codeberg repo has left that to make a fork of kbin called mbin....
Big update for Fedia.io - it’s not going anywhere (fedia.io)
First, I want to thank those who pointed me to mbin. I spent about 14 hours today with help from the mbin team on and off and found/fixed many problems....
Are there any kbin instances which are up to date with the source code? (kbin.social)
I know Ernest is working on getting ready to update kbin.social but are there any other instances which are faster with the bug fixes and updates?
We're back (kbin.social)
Today, a technical server malfunction occurred. Unfortunately, it wasn't the planned update yet. The upcoming one will definitely be much shorter ;)...
October: kbin.social planned technical outage (kbin.social)
This week (at the latest at the beginning of next week), there will be a several-hour technical break. A banner with detailed information about this will appear 24 hours before the planned work....