What is Lemmy?
Lemmy is a self-hosted social link aggregation and discussion platform. It is completely free and open, and not controlled by any company. This means that there is no advertising, tracking, or secret algorithms. Content is organized into communities, so it is easy to subscribe to topics that you are interested in, and ignore others. Voting is used to bring the most interesting items to the top.
Changes
This release took a long time to complete due to a major performance problem which brought lemmy.ml to a crawl every time we tried to deploy the new version. It took a lot of testing (in production) to narrow it down to a single commit, and finally fix the problem.
The release itself contains numerous bug fixes and minor improvements:
Lemmy
Enhancements
- Parallel federation sending by @phiresky in #4623
- Reduce CPU usage for generating link previews by @phiresky in #4957
- Switch from OpenSSL to rustls by @kwaa in #4901
- Increase max post url length to 2000 characters by @dessalines in #4960
- Increase max length of user bio to 1000 charactes by @dessalines #5014
- Reduce maximum comment depth to 50 by @nutomic #5009
- Resize post thumbnails by @nutomic #5107/files
- Add category to RSS feeds by @nutomic #5030
- Allow users to view their own removed/deleted communities by @dessalines in #4912
- Add backend check to enforce hierarchy of admins and mods by @dessalines in #4860
- Do pictrs transformations for proxied image urls by @dessalines in #4895
- Enable more build optimizations by @nutomic in #5168
- Calculate "controversial" ranking with exponent instead of multiply (just like Reddit) by @dullbananas in #4872
- Automatically remove tracking parameters from URLs by @dessalines #5018
- Relax timeout for sending activities by @Nothing4You in #4864
Bug Fixes
- Fix admin notification for new user registration (fixes #4916) by @Nutomic in #4925
- Allow community settings changes by remote mods @flamingo-cant-draw in #4937
- Fix problem with connecting to Postgres with TLS @FenrirUnbound in #4910
- Fix bug when commenting in local-only community by @dessalines in #4854 and @abdel-m in #4920
- Fix scheduled task to delete users with denied applications by @Nothing4You in #4907
API
- Return image dimensions and content type in API responses by @dessalines in #4704
- Adding a show_read override to GetPosts. by @dessalines in #4846
- Add show_nsfw override filter to GetPosts. by @dessalines in #4889
- Require authentication for site metadata fetch endpoint by @dessalines in #4968
- Add the ability to fetch a registration application by person_id by @dessalines in #4913
- Order community posts by published data, not id by @dullbananas in #4859
- Throw error when non-mod posts to mod-only comm or when URL is blocked by @flamingo-cant-draw in #4966
- Add option to search exclusively by post title by Carlos-Cabello #5015
Database
- Approve applications in transaction by @Nothing4You in #4970
- Use trigger to generate apub URL in insert instead of update, and fix query planner options not being set when TLS is disabled by @dullbananas in #4797
Lemmy-UI
- Fix full-size post images. by @dessalines in #2797
- Fix modlog ID filtering. by @dessalines in #2795
- Allow Arabic and Cyrillic characters when signing up or creating community by @SleeplessOne1917
- UX - Swap "Select Language" and "Cancel/Preview/Reply" button locations around in commentsReverse order of buttons in Reply TextArea
- Fix jump to content by @SleeplessOne1917
- Fixing peertube and ordinary video embeds. by @dessalines in #2676
- Changing sameSite cookie from Strict to Lax. by @dessalines in #2677
- Remove show new post notifs setting. by @dessalines in #2675
- Fix memory leak around emojis on server render by @makotech222 in #2674
- Enable spellcheck for markdown text area by @SleeplessOne1917 in #2669
- Pre release dep bump by @SleeplessOne1917 in #2661
- Add ability to fill magnet link title on post creation. by @dessalines in #2654
- Registration application view by @SleeplessOne1917 in #2651
- Add torrent help by @dessalines in #2650
- More moderation history by @dessalines in #2649
- Fix tribute related bug by @SleeplessOne1917 in #2647
- Remove min and max length from password input when using login form by @SleeplessOne1917 in #2643
- Remove trending communities card from home. by @dessalines in #2639
- Set data-bs-theme based on the presence of "dark" in theme name by @SleeplessOne1917 in #2638
- Fixing modlog filtering to allow admins and mods to filter by mod. by @dessalines in #2629
- Fix issue from logo bugfix by @SleeplessOne1917 in #2620
- Make more post params cross-postable by @SleeplessOne1917 in #2621
- Fix wonky comment action icon button alignment by @SleeplessOne1917 in #2622
- Prevent broken logo from crashing site by @SleeplessOne1917 in #2619
- Add rate limit info message. by @dessalines in #2563
- Fix getQueryString by @matc-pub in #2558
New Contributors
- @abdel-m made their first contribution in #4920
- @johnspurlock made their first contribution in #4917
- @FenrirUnbound made their first contribution in #4910
- @kwaa made their first contribution in #4901
- @Daniel15 made their first contribution in #4892
Full Changelog
Upgrade instructions
This upgrade could take as long as ~30 minutes for larger servers, due to needing to recalculate controversy ranks for all historical posts.
There are no breaking changes with this release.
Follow the upgrade instructions for ansible or docker.
If you need help with the upgrade, you can ask in our support forum or on the Matrix Chat.
Thanks to everyone
We'd like to thank our many contributors and users of Lemmy for coding, translating, testing, and helping find and fix bugs. We're glad many people find it useful and enjoyable enough to contribute.
Special shout out to @SleeplessOne1917, @phiresky, @dullbananas, @mv-gh, @Nothing4u, @asonix, @sunaurus, @flamingo-cant-draw, and @Freakazoid182 for their many code contributions and helpful insights.
Support development
We (@dessalines and @nutomic) have been working full-time on Lemmy for over five years. This is largely thanks to support from NLnet foundation, as well as donations from individual users.
If you like using Lemmy, and want to make sure that we will always be available to work full time building it, consider donating to support its development. A recurring donation is the best way to ensure that open-source software like Lemmy can stay independent and alive, and helps us grow our little developer co-op to support more full-time developers.
A new security fund opens up to help protect the fediverse | TechCrunch Sarah Perez 4–5 minutes
The fediverse, also known as the open social web that includes Mastodon, Meta’s Threads, Pixelfed, and other apps, is ramping up its security. On Wednesday, a nonprofit focused on bringing governance to open source projects, the Nivenly Foundation, announced the launch of a new security fund that will pay those who responsibly disclose security vulnerabilities that affect fediverse apps and services.
While all software can have security issues, Mastodon — an open source and decentralized alternative to X — has fixed numerous bugs over the years, leading to the need for such a program. Another issue found in the fediverse is that many servers are run by independent operators who don’t necessarily have a security background or understand best practices.
Already, the Nivenly Foundation has helped a few fediverse projects set up their basic security vulnerability reporting process, and now it’s looking to distribute small payouts to anyone who responsibly discloses other security vulnerabilities that may still be in the wild.
The payouts will total $250 for vulnerabilities with a vulnerability severity score (known as CVSS) of 7.0-8.9 and $500 for more critical vulnerabilities with a CVSS score of 9.0 or greater. The funds for the payouts come from the foundation, which is supported directly by members — which includes individuals as well as other trade organizations.
The vulnerabilities themselves are validated by acceptance from the fediverse project leads as well as public records in vulnerability disclosure (CVE) databases.
The fund is currently in a limited trial after the discovery of a security vulnerability in the decentralized Instagram alternative, Pixelfed. Open source contributor Emelia Smith came across the issue, and the Nivenly Foundation paid her to fix it, she explains.
A more recent issue came about when Pixelfed’s creator, Daniel Supernault made the details of a vulnerability public before server operators had a chance to update, which would have left the fediverse vulnerable to bad actors, she says. (Supernault has already apologized publicly for his handling of the issue that had affected private accounts.)
“Part of the program is…education for project leads, helping them understand why responsible disclosure practices for security vulnerabilities are important,” Smith told TechCrunch. “We came across several projects that just said ‘file security vulnerabilities in our public issue tracker,’ which absolutely isn’t safe, as any malicious actor watching that repository would now be able to attack instances of that software,” she added.
Typically, the common practice is to disclose minimal information about a vulnerability, giving server operators time to upgrade, Smith said. However, this requires that project leads understand security best practices.
In the case of the Pixelfed issue, for instance, the Hachyderm Mastodon server, which has over 9,500 members, decided it needed to defederate (or disconnect from) other Pixelfed servers that hadn’t been updated in order to protect their users.
With this new program designed to follow best practices around the disclosure of vulnerabilities, the need to defederate to protect users may become less common.
Sarah has worked as a reporter for TechCrunch since August 2011. She joined the company after having previously spent over three years at ReadWriteWeb. Prior to her work as a reporter, Sarah worked in I.T. across a number of industries, including banking, retail and software.