sudneo

I find some of the information in the article a little bit misleading when it comes to the GDPR. First, the US is considered an unsafe country into which transferring data, because of reasons such as the Cloud Act. The GDPR simply prescribes that data sharing is possible withing countries that offer guarantees similar to the ones offered by the GDPR. If US doesn't want to offer guarantees of data protection, I don't understand why the limitation should be perceived on the regulator side.

Second, each platform has in any case multiple instances deployed, often each instance is also distributed across regions etc. Painting this as an "engineering nightmare" seems debatable.

I am also not aware of any prescription that forced anybody to run everything in the US with a US company (which therefore is subject to the cloud act). If the companies make these choices, to me it seems natural that they should also take responsibility for them, not complain that known regulations that exist for years forbid you to do stuff...

Honestly it was not trivial, the custom emojis in the markdown parser seems to be vulnerable. Of course everything should be sanitized, but in practice there are cases where it's hard to make a proper sanitization while retaining features to let users write weird stuff. This is not the case of "validate a username" that you know very well which regex to use and which character space.

I would actually say that this vulnerability should have been prevented using proper cookie security, which should make it impossible to steal the session via XSS.

I do acknowledge though that it's not easy to take care of all of this when it's 2 people working on everything (from design to frontend, passing for deployment etc.), especially if there are no specific competencies in appsec.

Blaming culture does not help with vulnerability disclosure. Vulnerabilities do happen and will happen again.

Writing a parser is not trivial and remember that it was a tiny project until a month ago.

Working on UX is a big necessity. However, it's fine if communities are sitting on the biggest instances, although I would like it more if users were more distributed. People from smaller instances can anyway participate in the communities sitting elsewhere. In general I agree about having more users though, but the point for me is which users. Communities are growing, Lemmy (in my experience/bubble) is already completely different from how it was 2 weeks go (way more content). It will take time for niche communities, but I don't think that sacrificing what makes this place unique is worth the artificial influx of users that might come with it. We are experiencing a small and organic growth (3k active users a day circa), I think it's going to work out (especially if we all make a little effort - maybe more than we would have done in platforms).

If we could, in retrospective do that, maybe we wouldn't be in a state where if you want to send an email and be sure it gets delivered, you need to use one of 2/3 providers or a mail delivery service. The email example is perfect to show how big companies did kill the openness of the protocol, without any need to make it closed.

I think there is a fundamental difference between a tool like the kernel and a protocol which is then implemented by others. Google is part of those who standardizes the web, and it killed any browser competition exactly because it pushed so much stuff, that if you start a browser from 0 today, you will need millions and years to work with most websites.

The Linux kernel instead is one, centralized and that gets distributed, and Linus and other maintainers are gatekeepers as well.

I honestly think there is simply no way to avoid a complete takeover when there is this much asymmetry. Or well, the way is to keep things separated, maybe.

Letting them dictate the pace for technological development is actually the shortest path to be extinguished.

They have already 30 millions of users, which is approximately 2.5x the whole fediverse. Shortly they will easily reach 100/200 millions, probably, which means the whole fediverse will be <5%.

Now, in this condition, with Meta turning >100 billions of profit in a year, Mastodon (and Lemmy, and Pixelfed) etc., should compete by aiming for feature parity with an organization that can throw hundreds of full-time developers at the code? Sorry, no.

The whole idea in my opinion is framed poorly. For me the fediverse is a technical implementation of an idea. The technology comes after the idea, and the idea is simple: decentralization, non-monetization, no ads, and no-profit. It is a corner of the cyberspace which is and should remain out of reach for the big companies. We cannot, and should not, compete in their game.

This means that our tech should be poor out of principle? No, obviously. But we need to be realistic that fedi software will fail to keep the pace in terms of features with Threads. Aiming to do that seems already saying that Threads will take decisions, the rest will need to catch up, and it's just a matter of time before one of their feature is a change in ActivityPub, or requires an extension of it, or breaks compliance with it.

I think that the way forward is simply acknowledging that while there are technical similarities, Threads and the fedi software are wildly different things, and they should be considered as such. Some will federate, some will not, but we should keep that distinction.

During the short time Google also acquired users, who moved from other XMPP software because...well, the software was more integrated with other stuff. So when you then defederate, the rest is left with less users and a terrible experience.

Google did the same with Chrome and the web standards too. Look at the browser competition nowadays...

Si certo EEE è un classico. Tuttavia la domanda si sposta solo di poco: "che interesse ha Meta a distruggere una competizione che non esiste". Perché in poche ore ha già superato gli utenti Mastodon, per dire.

Sono assolutamente convinto che Threads andrà de federato quando sarà, ma credo che il fediverso sia solo un danno collaterale per Meta nel percorso per accaparrarsi il mercato di twitter. Questo non significa che non proveranno ad ammazzare ActivityPub imponendo la loro direzione, ovviamente.

Secondo me, una ripulita d'immagine, raggiungere un mercato piccolo (10 milioni di persone) che altrimenti sarebbe difficile da fare, creando al contempo l'immagine di un qualcosa antitetico a twitter.

Poi ancora non sono federabili, quindi non si sa come andrà (né possono lanciare in EU per ora).

Just in case, you are absolutely correct, you will be able to access content from Lemmy.world and actually even beehaw (which instead is not federated with Lemmy.world at the moment).

I think it's important to realist that it's not at all about the owner to be evil or benevolent. It is all about what structural and economic incentives exist. A for-profit corporation based on the business model of advertisement is structurally incompatible with some objectives that I - as a netizen - want to achieve (freedom, privacy).

This is also why I don't agree with those of "it's a win for decentralized" or "it will bring users". For me decentralization and other properties (e.g. OpenSource code) are only some necessary conditions to achieve the above abstract and ideological goals.