Max-P

Paste the URL in the search bar, it’ll fetch it locally on your instance and get you there. No need for link guesswork to find it on a particular instance.

1: is lemmy good for macro blogging? Like how you’d use something like Tumblr or the like.

Lemmy is a lot closer to Reddit, and is centered communities, not people. I think you’d have a better experience on one of the microblogging platforms for that use case.

2: when you create a community for yourself and post in it, does it reach other people or is it only if they actively search for it? Is it common here to create a community just for yourself to post blogs and the like? Can you even do that?

That’s a big “it depends” as some instances have bots to go subscribe to every community and pull it all in. Lemmy only federates content to instances that have at least one subscriber to the community, so discoverability would be a problem.

3: how does the federation thing work exactly? I’m from an instance that has downvotes disabled, so what happens when someone tries to downvote me?

You just don’t see them and they’re not counted in the score displayed to you. They’re still added up in the back end unless you post to a community with downvotes disabled, in this case then they’re discarded entirely. But since this community is on lemmy.ml and that one accepts downvotes, then they work as you’d expect. You still won’t see them on your side.

4: is lemmy safe from AI scrapping or nah? Is this platform good for artists compared to something like mastodon, twitter, or bluesky?

No, far from it. Everything is visible publicly, and when it’s public there’s little to do to stop AI scraping.

5: is there search engine crawling on lemmy? Are all posts on here possible to show up in search engines or nah? How do things work on that front?

Yes. I don’t even need to crawl Lemmy to index it, all the other instances are willingly sending it to me in real time. I have a copy of everything my instance has seen.

6: how’s development? Is lemmy going to continue to build and improve or are things gonna stay as they are for the foreseeable future?

Only the developers can comment but it seems slow but steady.

7: how privacy friendly and secure is lemmy really? I’m guessing a lot better then reddit, but just curious.

Zero, none. There is zero privacy on Lemmy because the fediverse is inherently public. I can see who voted what, I could see the entire edit history of a given post or comment, I could store all deleted posts and comments, the data is all on my server should I want to do anything with it.

So your privacy will depend solely on your OpSec: don’t share personally identifiable information or anything.

8: are there normal people or communities here? From what I’m seeing all of lemmy seems primarily focused on politics and tech, am not seeing much beyond that.

Those do drown pretty much everything else, but you can look at Lemmy Explorer and find communities you like and subscribe to them, and then browse by subscriptions. The default feed is basically a firehose of literally everything going in every community at once.

Some people also opt to just block the communities they’re not interested in such that all that’s left is interesting ones so you don’t miss anything.

No, otherwise the security cameras wouldn’t record and that’s precisely the opposite of what I want when I’m out.

Technically a lot of the newer chips used in datacenters support encrypted VMs which encrypts the RAM too, although you still have to trust that the hosting provider uses that feature.

When you subscribe to a community, you only start receiving data from that point on. It doesn’t go and download the history, that’d be very resource intensive on the remote instance. Thus it fetches a handful of posts, and no comments as a preview of the community, and after a couple days of activity is looks mostly normal.

There’s definitely security advantages to running things across multiple instances: if one gets hacked, the others are unaffected.

The networking should be pretty simple for what you’re doing. A few things just change to like 127.0.0.1 to something like 172.31.X.X or whatever IPs your VPC ends up using.

It looks like you’re doing very well, I’ve seen big companies with less security than that.

Misconfigured CORS is no worse than someone using curl, or postman, or any other tool of that kind. What could compromise your server is the backend side of things, the frontend is just a limited HTTP client in the end. The real risk is those making direct requests to your server. CORS is just an ask for browsers specifically to stop cross domain communication, it protects the users not you.

You can help that a lot by using containers like Docker or Podman, but you should also make sure your backend is secure. But the most risk really even then would usually be, break into your database via SQL injection or something like that, still not breaking into the whole instance.

If anything, making sure to use SSH keys, disable root login and general server best practices is way more important than your app. You’re more likely that your server itself will be attacked than the backend. Security comes in layers.

But realistically you’ll be fine, and if you do end up hacked, it’s a learning experience.

If you look at it from a different angle and ask: who might be interested by a user being reported, given that each instance operate independently? The answer is all of them.

• The instance you’re on could be interested because it might violate the local instance’s rules, and the admin might want to delete it even if from just that instance.
• The instance hosting the community, because regardless of the other two instances they might not want that there.
• The instance of the user being reported, because it’s their user and if they’re causing trouble they might want to ban the account.

The rest comes naturally: obviously if the account is banned at the source it’s effectively banned globally. If it’s banned on the community’s instance, then you won’t see that user there but might on other instances. And your instance can ban the user, in which case they’re freely posting on other instances but you won’t see it from your perspective.

The issue DNS solves is the same as the phone book. You could memorize everyone’s phone number/IP, but it’s a lot easier to memorize a name or even guess the name. Want the website for walmart? Walmart.com is a very good guess.

Behind the scenes the computer looks it up using DNS and it finds the IP and connects to it.

The way it started, people were maintaining and sharing host files. A new system would come online and people would take the IP and add it to their host file. It was quickly found that this really doesn’t scale well, you could want to talk to dozens of computers you’d have to find the IP for! So DNS was developed as a central directory service any computer can request to look things up, which a hierarchy to distribute it and all. And it worked, really well, so well we still use it extensively today. The desire to delegate directory authority is how the TLD system was born. The host file didn’t use TLDs just plain names as far as I know.

There’s definitely been a surge in speculation on domain names. That’s part of the whole dotcom bubble thing. And it’s why I’m glad TLDs are still really hard to obtain, because otherwise they would all be taken.

Unfortunately there’s just no other good way to deal with it. If there’s a shared namespace, someone will speculate the good names.

Different TLDs can help with that a lot by having their own requirements. .edu for example, you have to be a real school to get one. Most ccTLDs you have to be a citizen or have a company operating in the country to get it. If/when it becomes a problem, I expect to see a shift to new TLDs with stronger requirements to prove you’re serious about your plans for the domain.

It’s just a really hard problem when millions of people are competing to get a decent globally recognized short name, you’re just bound to run out. I’m kind of impressed at how well it’s holding up overall despite the abuse, I feel like it’s still relatively easy to get a reasonable domain name especially if you avoid the big TLDs like com/net/org/info. You can still get xyz for dirt cheap, and sometimes there’s even free ones like .tk and .ml were for a while. There’s also several free short-ish ones, I used max-p.fr.nf for a while because it was free and still looks like a real domain, it looks a lot like a .co.uk or something.

Because if they’re not owned, then how do you know who is who? How do we independently conclude that yup, microsoft.com goes to Microsoft, without some central authority managing who’s who?

It’s first come first served which is a bit biased towards early adopters, but I can’t think of a better system where you go to google.com and reliably end up at Google. If everyone had a different idea of where that should send you it would be a nightmare, we’d be back to passing IP addresses on post-it notes to your friends to make sure we end up on the same youtube.com. When you type an address you expect to end up on the site you asked, and nothing else. You don’t want to end up on Comcast YouTube because your ISP decided that’s where youtube.com goes, you expect and demand the real one, the same as everyone else.

And there’s still the massive server costs to run a dictionary for literally the entire Internet for all of that to work.

A lot of the times, when asking those kinds of questions, it’s useful to think about how would you implement it such that it would work. It usually answers the question.

In case you didn’t know, domain names form a tree. You have the root ., you have TLDs com., and then usually the customer’s domain google.com., then subdomains www.google.com.. Each level of dots typically hands over the rest of the lookup to another server. So in this example, the root servers tell you go ask .com at this IP, you go ask .com where Google is, and it tells you the IP of Google’s DNS server, then you query Google’s DNS server directly. Any subdomain under Google only involves Google, the public DNS infrastructure isn’t involved at that point, significantly reducing load. Your ISP only needs to resolve Google once, then it knows how to get *.google.com directly from Google.

You’re not just buying a name that by convention ends with a TLD. You’re buying a spot in that chain of names, the tree that is used to eventually go query your server and everything under it. The fee to get the domain contributes to the cost of running the TLD.

Mostly because you need to be able to resolve the TLD. The root DNS servers need to know about every TLD and it would quickly be a nightmare if they had to store hundreds of thousands records vs the handful of TLDs we have now. The root servers are hardcoded, they can’t easily be scaled or moved or anything. Their job is solely to tell you where .com is, .net is, etc. You’re supposed to query those once and then you hold to your cached reply for like 2+ days. Those servers have to serve the entire world, so you want as few queries to those as possible.

Hosting a TLD is a huge commitment and so requires a lot of capital and a proper legal company to contractually commit to its maintenance and compliance with regulations. Those get a ton of traffic, and users getting their own TLDs would shift the sum of all gTLD traffic to the root servers which would be way too much.

With the gTLDs and ccTLDs we have at least there’s a decent amount of decentralization going, so .ca is managed by Canada for example, and only Canada has jurisdiction on that domain, just like only China can take away your .cn. If everyone got TLDs the namespace would be full already, all the good names would be squatted and waiting to sell it for as much as possible like already happens with the .com and .net TLDs.

There’s been attempts at a replacement but so far they’ve all been crypto scams and the dotcom bubble all over again speculating on the cool names to sell to the highest bidder.

That said if you run your own DNS server and configure your devices to use it, you can use any domain as you want. The problem is gonna get the public Internet at large to recognize it as real.

Also, series F but they’re only deploying on one server? Try scaling that to a real deployment (200+ servers) with millions of requests going through and see how well that goes.

And also no way their process passes ISO/SOC 2/PCI certifications. CI/CD isn’t just “make do things”, it’s also the process, the logs, all the checks done, mandatory peer reviews. You can’t just deploy without the audit logs of who pushed what when and who approved it.

It’s instance dependent and likely small on bigger instances to reduce storage costs as it can grow really big. I don’t know the exact number for lemmy.ml.

You have to keep in mind, when you write JavaScript, there’s an entire runtime written in C++ to run it under the hood, with some crazy optimizations to make it reasonably performant. What type of languages do you use to write that runtime? A systems programming language like Rust and C++.

You don’t have to use Rust if you don’t like it. Not everything must be written in Rust. The whole pick a language also involves a lot of picking your tradeoffs. Picking a interpreted/JIT language for speed of development is a perfectly valid tradeoff, but not one you can universally make. Sometimes the performance cost becomes really expensive currency-wise, where you can save thousands of dollars on server costs by simply having a more efficient application that only needs a fraction of the hardware to run it. Even in JavaScript, a fair chunk of libraries you use end up calling to C++ native code because it would be too slow in pure JavaScript. Sometimes the tradeoff is pick the popular language so it’s easier to hire for cheaper.

Even at the dawn of time, most computers shipped with a variant of BASIC so people could write simple applications easily. But if you wanted to squeeze out every bit of power in your Apple II or C64, you sure did reach for assembly. Assembly sucks so we made C, then C++. Rust is still a language that’s made to eventually compile to assembly/binary and have the same performance as if you wrote it in assembly.

And low spec hardware still exists: the regular Pis have gotten pretty fast but if you run on an RP2040 then suddenly, you’re back in like 300MHz dual core land with pitiful amounts of memory, so you do need to write optimized and fast code for those.

Rust’s type system is actually really, really good. Most of the time, if it compiles it runs. It eliminates a ton of errors other than memory safety: the system is so powerful you can straight up make invalid state unrepresentable. You can’t forget to close a connection, you can’t pass the wrong data, you can’t forget to unlock a lock. It does a lot more to enforce correctness of a program well beyond memory safety.

Don’t worry about it, the frontends usually take care of using alternate sources if you want to:

You mean you’re not actually supposed to spend 2 hours daily unfucking everyone’s shit during the standup turn by turn?

I’ll take the autotools over Gradle, that’s how much it sucks.

I don’t think you can, and I think it makes sense: it would be weird for the compiler to unexpectedly generate hidden variables for you.

For all the compiler knows, the temporary variable could hold a file handle, a database transaction, a Mutex, or other side effects in their Drop implementation that would make when it’s dropped matter. Or it could just be a very large struct you might not expect to keep around until the end of the function (or even, the end of the program if that’s a main loop).

So you should be aware of it, and thus you need the temporary variable like you did even if you just immediately shadow it. But at least you know you’re holding on to it until the end of the function.