This issue is already quite widely publicized and quite frankly “we’re handling it and removing this” is a much more harmful response than I would hope to see. Especially as the admins of that instance have not yet upgraded the frontend version to apply the urgent fix.

It’s not like this was a confidential bug fix, this is a zero day being actively exploited. Please be more cooperative and open regarding these issues in your own administration if you’re hosting an instance. 🙏

  • 𝓢𝓮𝓮𝓙𝓪𝔂𝓔𝓶𝓶
    link
    fedilink
    English
    arrow-up
    3
    ·
    1 year ago

    I don’t think I’m asking for a lot. A post on !lemmy@lemmy.ml xposted to !lemmy_support@lemmy.ml that gets pinned to the top. Edit the post when relevant information comes out. Release a security advisory on github as soon as you have enough info to warrant one and keep it up-to-date as well.

    I’m not asking for the troubleshooting to happen out in the open.

    you sound quite well-versed in how to handle security/critical incidents. Maybe consider contacting the devs and offering them some help in this area?

    I know enough. I’m certainly not an infosec guy I’m just a sysadmin who’s been doing this long enough to know what should be done. At least partly due to this there’s currently 400 open issues just in lemmy-ui on github. Right now I think the best most of us can do is wait for the dust to settle.

    • fuser@quex.cc
      link
      fedilink
      English
      arrow-up
      2
      ·
      edit-2
      1 year ago

      Right, but Lemmy.ml is really just one of a thousand plus instances. We need something instance independent or a way to propagate info that doesn’t rely on any single failure points, or Lemmy as the communication channel. What happens when lemmy.ml is down, or if no instances are able to post due to concerted DoS?

      It’s impossible to stop anyone randomly posting stuff on Lemmy. Attackers can post misinformation as well, especially if they compromise admin accounts. Who are we gonna trust in the midst of the next incident? The account posting most prolifically about the UI exploit in progress was using a burner account that had just been created to post about it. I’m sure there were good reasons for wanting to be anonymous when discussing the work of unknown malicious actors, but it made me think twice about what was being posted at the time.

      • 𝓢𝓮𝓮𝓙𝓪𝔂𝓔𝓶𝓶
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        I think the authoritative source should be the GitHub repo. A security advisory should be posted there with references to outside resources as necessary.

        • fuser@quex.cc
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          checks all the boxes - authoritative (authenticated user accounts), central location, not on fediverse, already relatively well-known by lemmy users and provides visibility to remediation. It’s a good idea.