↳
In-reply-to
»
There is a bug in
ā¤ Read More
yarnd that's been around for awhile and is still present in the current version I'm running that lets a person hit a constructed URL like
@prologic@twtxt.net What? I compiled, updated, and restarted. If you check what my pod reports, it gives that 7aā¦ SHA. I donāt know what that other screenshot is showing but it seems to be out of date. That was the SHA I was running before this update.
↳
In-reply-to
»
There is a bug in
ā¤ Read More
yarnd that's been around for awhile and is still present in the current version I'm running that lets a person hit a constructed URL like
@prologic@twtxt.net Hereās a log entry:
Aug 27 15:59:43 buc yarnd[1200580]: [yarnd] 2024/08/27 15:59:43 (IP_REDACTED) "GET /external?nick=lovetocode999&uri=https://URL_REDACTED HTTP/1.1" 200 35442 14.554763ms
HTTP 200 status, not 404.
↳
In-reply-to
»
There is a bug in
ā¤ Read More
yarnd that's been around for awhile and is still present in the current version I'm running that lets a person hit a constructed URL like
@prologic@twtxt.net This does not seem to fix the problem for me, or Iāve done something wrong. I did the following:
- Pull the latest version from
git(I have commit7ad848, same as ontwtxt.netI believe).
make buildandmake install
- Restart
yarnd
- Refresh cache in Poderator Settings
Yet I still see these bogus /external things on my pod when I hit URLs like the one I sent you recently. When I hit such a URL with curl I think itās giving an error? But in a web browser, the (buggy) response is the same as it was before I updated.
So, this problem is not fixed for me.
↳
In-reply-to
»
There is a bug in
ā¤ Read More
yarnd that's been around for awhile and is still present in the current version I'm running that lets a person hit a constructed URL like
@prologic@twtxt.net Aha, now it gives an error. OK Iām updating to this to see if it fixes the issue on my pod! Thank you.
↳
In-reply-to
»
There is a bug in
ā¤ Read More
yarnd that's been around for awhile and is still present in the current version I'm running that lets a person hit a constructed URL like
@prologic@twtxt.net I believe you are not seeing the problem I am describing.
Hit this URL in your web browser:
https://twtxt.net/external?nick=lovetocode999&uri=https://socialmphl.com/story19510368/doujin
Thatās your pod. I assume you donāt have a user named lovetocode999 on your pod. Yet that URL returns HTTP status 200, and generates HTML, complete with a link to https://socialmphl.com/story19510368/doujin, which is not a twtxt feed (thatās where the twtxt.txt link goes if you click it). That link could be to anything, including porn, criminal stuff, etc, and it will appear to be coming from your twtxt.net domain.
What I am saying is that this is a bug. If there is no user lovetocode999 on the pod, hitting this URL should not return HTTP 200 status, and it should definitely not be generating valid HTML with links in it.
Edit: Oops, I misunderstood the purpose of this /external endpoint. Still, since the uri is not a yarn pod, let alone one with a user named lovetocode999 on it, I stand by the belief that URLs like this should be be generating valid HTML with links to unknown sites. Shouldnāt it be possible to construct a valid target URL from the nick and uri instead of using the podās /external endpoint?
↳
In-reply-to
»
There is a bug in
ā¤ Read More
yarnd that's been around for awhile and is still present in the current version I'm running that lets a person hit a constructed URL like
@prologic@twtxt.net @bender@twtxt.net I partially agree with bender on this one I think. The way this person is abusing the /external endpoint on my pod seems to be to generate legitimate-looking HTML content for external sites, using a username that does not exist on my pod. One āsemantically correctā thing to do would be to error out if that username does not exist on the pod. Itās not unlike having a mail server configured as an open relay at this point.
It would also be very helpful to give the pod administrator control over whatās being fetched this way. I donāt want people using my pod to redirect porn sites or whatever. If I could have something as simple as the ability to blacklist URLs thatād already help.
↳
In-reply-to
»
@mckinley He's signed up three times now even though I keep deleting the account, which is enough for me to permaban this person. I don't technically want open registrations on my pod but up till now I've been too lazy to figure out how to turn them off and actually do that, and there hasn't been a pressing need. I may have to now.
ā¤ Read More
@lyse@lyse.isobeef.org Interesting. The yarnd --help currently says (for me):
-R, --open-registrations whether or not to have open user registgration
meaning it doesnāt give the default setting or warn you that you need to use -R=false and not -R false. It also leaves unclear whether --open-registrations false would work or if you need to do --open-registrations=false. Itās also unclear whether the setting change in the user interface is overridden by the command line arguments, overrides the command line arguments, is persisted across restarts.
Maybe all this is worth posting an issue for additional documentation on the git repo if there isnāt one already.
āregistgrationā is misspelled that way in the help by the way.
@lyse@lyse.isobeef.org in Australia, take everything you have learned, and do the opposite. After all, it is the land down under! :-D
@aelaraji@aelaraji.com didnāt know there was a place to fix them; in here we toss them. Wish it was cheap to ship stuff. I have a couple of decent monitors in the garage that will soon take a trip to the curveā¦
@lyse@lyse.isobeef.org ugh, how come didnāt this occurred to meā¦! Oh well, I am good now, but noted. Thanks!
↳
In-reply-to
»
(#r6rbinq) @bender and I saw some conspiracy theory that he knew he was going to be arrested. He was working with French intelligence on a plea deal to defect. And now Russia is freaking out that Ukraine allies can have war comms access.
ā¤ Read More
@prologic@twtxt.net saltāem to keep them viable longer. Saltāem! :-D
↳
In-reply-to
»
Public Service Announcement: Fear not, we're still on patrol and ask you to keep a close eye on your Yarn neighborhood. We got some reports of suspicious activities going on in the background lately.
ā¤ Read More
@yarn_police@twtxt.net yay! Law and order on the watch!
@movq@www.uninformativ.de Yeah, havenāt seeing the @yarn_police@twtxt.net for a while. I often wonder if we are, finally, crime free. :-D
↳
In-reply-to
»
@mckinley He's signed up three times now even though I keep deleting the account, which is enough for me to permaban this person. I don't technically want open registrations on my pod but up till now I've been too lazy to figure out how to turn them off and actually do that, and there hasn't been a pressing need. I may have to now.
ā¤ Read More
@lyse@lyse.isobeef.org Ha, sweet thanks for this! For some reason I thought you had to do this with an environmental variable or command-line option and I didnāt think to check the settings. š¤¦āā
↳
In-reply-to
»
There is a bug in
ā¤ Read More
yarnd that's been around for awhile and is still present in the current version I'm running that lets a person hit a constructed URL like
@prologic@twtxt.net Ah nice, thank you! Do you think this fix is ready for me to test it or do you think I should wait til you poke at it?
↳
In-reply-to
»
@movq, maybe you can help me with this. I want to place the
ā¤ Read More
vim cursor at the end of the first line on replies, and forks. I have tried adding to this to jenny's configuration:
@movq@www.uninformativ.de woot! Yes! Perfect now. Hitting reply opens it with insert, and prompt at the end of the first line. Just as I wanted it. Thank you much!
@lyse@lyse.isobeef.org welcome! :-) I am doing my best to get more acquaintance with vi/vim. I think nano has spoiled me too much. LOL.
↳
In-reply-to
»
@movq, maybe you can help me with this. I want to place the
ā¤ Read More
vim cursor at the end of the first line on replies, and forks. I have tried adding to this to jenny's configuration:
@movq@www.uninformativ.de hmm, I am already using au BufNewFile,BufRead jenny-posting.eml setl completefunc=jenny#CompleteMentions fo-=t wrap, from jenny. How would I go to incorporate that there?
@lyse@lyse.isobeef.org āgood, good, and fascinating indeedā ā says Quark, all while eating an overflowing toast with butter, and blackberry jam. :-D
@aelaraji@aelaraji.com power outages happen here almost every single time strong storms pass by, I know the feeling mate. It truly sucks.
↳
In-reply-to
»
@movq, maybe you can help me with this. I want to place the
ā¤ Read More
vim cursor at the end of the first line on replies, and forks. I have tried adding to this to jenny's configuration:
@movq@www.uninformativ.de hmm, I guess I could do that too. I have startinsert set on my .vimrc, so I will either have to take it out, or exit insert, $, then insert again. I think the way you do it would be the way to go.
I tried setting VISUAL to be something like vim -c 'star!', which does the same thing, but no dice. :-/
@movq@www.uninformativ.de, maybe you can help me with this. I want to place the vim cursor at the end of the first line on replies, and forks. I have tried adding to this to jennyās configuration:
"editor": "vim \"+normal $\"",
But that doesnāt work. How would you go about it?
↳
In-reply-to
»
There is a bug in
ā¤ Read More
yarnd that's been around for awhile and is still present in the current version I'm running that lets a person hit a constructed URL like
@prologic@twtxt.net sounds fair. Letās see how it works for @abucci@anthony.buc.ci. Speedy fix, thatās awesome! :-)
@bender@twtxt.net and I saw some conspiracy theory that he knew he was going to be arrested. He was working with French intelligence on a plea deal to defect. And now Russia is freaking out that Ukraine allies can have war comms access.
Yikes! If only they had salty.im!
š Hello @testtest@anthony.buc.ci, welcome to Buccipod, a Yarn.social Pod! To get started you may want to check out the podās Discover feed to find users to follow and interact with. To follow new users, use the āØ Follow button on their profile page or use the Follow form and enter a Twtxt URL. You may also find other feeds of interest via Feeds. Welcome! š¤
There is a bug in yarnd thatās been around for awhile and is still present in the current version Iām running that lets a person hit a constructed URL like
YOUR_POD/external?nick=lovetocode999&uri=https://socialmphl.com/story19510368/doujin
and see a legitimate-looking page on YOUR_POD, with an HTTP code 200 (success). From that fake page you can even follow an external feed. Try it yourself, replacing āYOUR_PODā with the URL of any yarnd pod you know. Try following the feed.
I think URLs like this should return errors. They should not render HTML, nor produce legitimate-looking pages. This mechanism is ripe for DDoS attacks. My pod gets roughly 70,000 hits per day to URLs like this. Many are porn or other types of content I do not want. At this point, if itās not fixed soon I am going to have to shut down my pod. @prologic@twtxt.net please have a look.
↳
In-reply-to
»
š Hello @nigergibe, welcome to Buccipod, a Yarn.social Pod! To get started you may want to check out the pod's Discover feed to find users to follow and interact with. To follow new users, use the
ā¤ Read More
āØ Follow button on their profile page or use the Follow form and enter a Twtxt URL. You may also find other feeds of interest via Feeds. Welcome! š¤
@mckinley@twtxt.net Heās signed up three times now even though I keep deleting the account, which is enough for me to permaban this person. I donāt technically want open registrations on my pod but up till now Iāve been too lazy to figure out how to turn them off and actually do that, and there hasnāt been a pressing need. I may have to now.
š Hello @nigergibe@anthony.buc.ci, welcome to Buccipod, a Yarn.social Pod! To get started you may want to check out the podās Discover feed to find users to follow and interact with. To follow new users, use the āØ Follow button on their profile page or use the Follow form and enter a Twtxt URL. You may also find other feeds of interest via Feeds. Welcome! š¤
@movq@www.uninformativ.de is there a way to purge twtxts from a feed I no longer follow?
@movq@www.uninformativ.de, using the branch on topic right now, it works perfect. The only thing I found was that I had to quit neomutt, and re-open, to see the perfect thread. Other than that, I love it!
@bender@twtxt.net hmm, I wonder if these are simply twtxts auto created from an ActivityPub feed. Ah, crap, they are. LOL.
↳
In-reply-to
»
š Hello @nigergibe, welcome to Buccipod, a Yarn.social Pod! To get started you may want to check out the pod's Discover feed to find users to follow and interact with. To follow new users, use the
ā¤ Read More
āØ Follow button on their profile page or use the Follow form and enter a Twtxt URL. You may also find other feeds of interest via Feeds. Welcome! š¤
@support@anthony.buc.ci No. Try this again and I nuke your IP.
š Hello @nigergibe@anthony.buc.ci, welcome to Buccipod, a Yarn.social Pod! To get started you may want to check out the podās Discover feed to find users to follow and interact with. To follow new users, use the āØ Follow button on their profile page or use the Follow form and enter a Twtxt URL. You may also find other feeds of interest via Feeds. Welcome! š¤
↳
In-reply-to
»
š Hello @nigergibe, welcome to Buccipod, a Yarn.social Pod! To get started you may want to check out the pod's Discover feed to find users to follow and interact with. To follow new users, use the
ā¤ Read More
āØ Follow button on their profile page or use the Follow form and enter a Twtxt URL. You may also find other feeds of interest via Feeds. Welcome! š¤
@support@anthony.buc.ci Nope.
š Hello @nigergibe@anthony.buc.ci, welcome to Buccipod, a Yarn.social Pod! To get started you may want to check out the podās Discover feed to find users to follow and interact with. To follow new users, use the āØ Follow button on their profile page or use the Follow form and enter a Twtxt URL. You may also find other feeds of interest via Feeds. Welcome! š¤
↳
In-reply-to
»
@movq Is there a good way to get jenny to do a one-off fetch of a feed, for when you want to fill in missing parts of a thread? I just added @slashdot to my private follow file just because @prologic keeps responding to the feed :-P and I want to know what he's commenting on even though I don't want to see every new slashdot twt.
ā¤ Read More
@prologic@twtxt.net Yes, fetching the twt by hash from some service could be a good alternative, in case the twt I have does not @-mention the source. (Besides yarnd, maybe this should be part of the registry API? I donāt see fetch-by-hash in the registry API docs.)
@movq@www.uninformativ.de confirming that the issue isnāt present when using alacrity. Wow.
↳
In-reply-to
»
(@anth's feed almost never works, but I keep it because they told me they want to fix their server some time.)
ā¤ Read More
@falsifian@www.falsifian.org the reason behind his sporadic disappearances is that he runs things from a Raspberry Pi, at home, I believe. That impacts reliability, I figure.
@movq@www.uninformativ.de my fault! Err, I meant to say, @bender@twtxt.netās! LOL.
@lyse@lyse.isobeef.org ah, if only you were to finally clean up that code, and make that client widely availableā¦! One can only dream, right? :-)
@lyse@lyse.isobeef.org I mean, dinosaurs āevolvedā by getting wiped, right? :-D
↳
In-reply-to
»
@movq, that would be a nice addition. :-) I would also love the ability to hide/not show the hash when reading twtxts (after all, that's on the header on each "email"). Could that be added as a user configurable toggle?
ā¤ Read More
@movq@www.uninformativ.de you said you liked seeing the hash (which is a fair choice!). All I am asking is for a reconsideration as a user configurable feature. ;-) It looks redundant, in my opinion.
@bender@twtxt.net it sure breaks the index formatting.
@aelaraji@aelaraji.com, this one, @movq@www.uninformativ.de, is slightly breaking my neomutt index. Will post screenshot from @bender@twtxt.netās account.
↳
In-reply-to
»
@movq Is there a good way to get jenny to do a one-off fetch of a feed, for when you want to fill in missing parts of a thread? I just added @slashdot to my private follow file just because @prologic keeps responding to the feed :-P and I want to know what he's commenting on even though I don't want to see every new slashdot twt.
ā¤ Read More
@movq@www.uninformativ.de, that would be a nice addition. :-) I would also love the ability to hide/not show the hash when reading twtxts (after all, thatās on the header on each āemailā). Could that be added as a user configurable toggle?
↳
In-reply-to
»
@movq Is there a good way to get jenny to do a one-off fetch of a feed, for when you want to fill in missing parts of a thread? I just added @slashdot to my private follow file just because @prologic keeps responding to the feed :-P and I want to know what he's commenting on even though I don't want to see every new slashdot twt.
ā¤ Read More
@movq@www.uninformativ.de I donāt know if Iād want to discard the twts. I think what Iām looking for is a command ājenny -g https://host.org/twtxt.txtā to fetch just that one feed, even if itās not in my follow list. I could wrap that in a shell script so that when I see a twt in reply to a feed I donāt follow, I can just tap a key and the feed will get added to my maildir. I guess the script would look for a mention at the start of a selected twt and call jenny -g on the feed.
@movq@www.uninformativ.de Is there a good way to get jenny to do a one-off fetch of a feed, for when you want to fill in missing parts of a thread? I just added @slashdot@feeds.twtxt.net to my private follow file just because @prologic@twtxt.net keeps responding to the feed :-P and I want to know what heās commenting on even though I donāt want to see every new slashdot twt.
↳
In-reply-to
»
(#vciyu3q) @bender I'm not a yarnd user, but automatically unfollowing on 404 doesn't seem right. Besides @lyse's example, I could imagine just accidentally renaming my own twtxt file, or forgetting to push it when I point my DNS to a new web server. I'd rather not lose all my yarnd followers in a situation like that (and hopefully they feel the same).
ā¤ Read More
@bender@twtxt.net Based on my experience so far, as a user, I would be upset if my client dropped someone from my follower list, i.e. stopped fetching their feed, without me asking for that to happen.
@bender@twtxt.net Iām not a yarnd user, but automatically unfollowing on 404 doesnāt seem right. Besides @lyse@lyse.isobeef.orgās example, I could imagine just accidentally renaming my own twtxt file, or forgetting to push it when I point my DNS to a new web server. Iād rather not lose all my yarnd followers in a situation like that (and hopefully they feel the same).
@prologic@twtxt.net @bender@twtxt.net Exponential backoff? Seems like the right thing to do when a server isnāt accepting your connections at all, and might also be a reasonable compromise if you consider 404 to be a temporary failure.