So if you do the Docker setup, obeying the instructions and substituting everything that needs to get substituted, but don’t proofread the files in detail and so miss that line 40 of docker-compose.yml doesn’t have the variable {{domain}} like in every other location you need to write your domain, but instead just says LEMMY_UI_LEMMY_EXTERNAL_HOST=lemmy.ml and so you fail to change it away from lemmy.ml… then, everything will work, until you type in your admin password for the first time, at which point your browser will send a request to lemmy.ml which includes your admin username, your email address, and the admin password you’re trying to set. And, also, of course your IP address wherever you are sitting and setting up the server.
I have no reason at all to think the Lemmy devs have set their server up to log this information when it comes in. nginx will throw it away by default, of course, but it would be easy for them to have it save it instead, if they wanted to. And my guess is most people won’t use a different admin password once they figure out why creating their admin user isn’t working and fix it.
@dessalines@lemmy.ml @nutomic@lemmy.ml I think you should fix the docker-compose.yml file not to do this.
Edit: Just to increase the information-to-rudeness ratio of my post. The docs are at:
https://join-lemmy.org/docs/administration/install_docker.html
And they recommend using wget to download:
https://raw.githubusercontent.com/LemmyNet/lemmy-docs/main/assets/docker-compose.yml
Which is pulled from:
https://github.com/LemmyNet/lemmy-docs/tree/main/assets
Which is what has the wrong line 40 in it.
Edit: They fixed it. Good stuff.
You should edit your post with link to this PR - it’s fixed now
Edited.
Thanks
Thank you for discovering this, and creating awareness around it.
Seems like a genuine miss, contrary to what the comments here would have one believe, given that the compose file (and rest of the docs) were mostly derived from whatever worked for the developers themselves.
Seems like a genuine miss, contrary to what the comments here would have one believe,
You might be right. I looked at the history and the way it came in, and it’s not as wildly anomalous to the rest of the file when looked at in context. Maybe it’s just a mistake.
if it was inadvertent you’d think someone at the receiving address would have spoken up…
Well, part of the price I pay for being a consistent dickhead is that sometimes people aren’t enthused to respond to me. I get why they wouldn’t really want to respond here and get yelled at, whether or not it was malicious, and instead just fix it and go on.
In my opinion it would be a healthier way to go about things if they were willing to meet criticism head-on, but the pro-authoritarianism position they’ve staked out for themselves is so widely and bitterly unpopular that I think that ship has sailed and they’re unlikely to engage with most of the free-speaking world at this point, because it would just be a torrent of abuse and mockery and so what would even be gained by it.
they’re unlikely to engage with most of the free-speaking world at this point, because it would just be a torrent of abuse and mockery and so what would even be gained by it.
side effects of never letting a good opportunity to red bait go to waste I guess
When it comes to tankies/rightwing/etc/etc I always assume a Reverse Hanlons Razor. Never attribute to stupidity what can be adequately explained by malice.
That’s so on-character for .ml
The longer I look at it the more suspicious I am of it, to be honest. I’m just kind of generally a paranoid and accusatory person, so take that into account, but… the files are pretty carefully set up. They have variable substitutions for everything, including a bunch of places where there’s a template substitution to change a string around when setting cache keys so that it’ll still work out-of-the-box right away, even in complex configurations like multiple domains on a single server. It all works out-of-the-box right away, they’ve clearly been attentive to making sure it’s all set up right and keeps working cleanly as things have been evolving forward. Except for that one place.
this is how those Marxist Leninst nation state actors work
If we are entertain this idea, what could they possibly gain from this? Stealing passwords isn’t effective if the victim knows it’s been stolen.
I think it would be very rare that people would put two and two together to realize that their password had been “stolen” by this event. Like I say, I have no real idea even if it is being stolen, just that it would be trivial for .ml to decide that they wanted to start keeping a little cache of everyone’s admin email addresses and passwords.
Like someone else said, if it was anyplace other than lemmy.ml, I wouldn’t give it a second thought, it would just be “whoa you gotta fix this.” I sort of agree with you that there’s not even really any strong indication that there’s anything all that bad they could do with it. It’s only because lemmy.ml moderation actions already have such a pattern of authoritarian dishonesty that I get to any degree paranoid or alarmed about it.
Entertaining the idea… Lol
Do you think OP is making it up?
I assume they just mean the idea that is malicious and not just stupidity.
Neither is good
Yeah but one is typically significantly easier to deal with non-violently.
That’s just it. Someone might not realize that all that info was passed to the server when it failed if they weren’t thinking about it. They’d just correct their mistake and move on with their day, especially if they’re new to server administration as I’m sure many (not necessarily most) Lemmy admins would be.
“What could they possibly gain from having keys to the kingdom?”
rofl! Continue proving how absolutely brainless bootlickers are… It’s a good fit for you.
Im loving that there are ml users coming in and defending it lol
Yeah, don’t they realize they could have just spent that time productively by making a pull request, instead?
Honestly, you found the fault. I agree that you should put the request in.
I mean probably I should. There are a bunch of people accusing me of being dick headed and petty and they’re not completely wrong. Honestly, I just don’t feel like helping the Lemmy devs. Dessalines, at least, is totally unapologetic about being a dickhead to people he has power over. That puts me in a mindset where, mostly, I want to talk to other people about potential harm he’s in a position to do, and not really in a mindset where I want to do even a small amount of extra work on his behalf.
I’m going to tell other people that he’s in a position to take their passwords. If he wants to see that and put himself not in that position anymore? Great, I think he should. If he gets his feelings hurt because I’m not being super friendly about it? Well… okay. I’m not trying to be malicious about it or do anything other than clearly communicate the problem. But it seems like the lemmy.ml “in charge” crew in general has a lot of a mentality that’s kind of like, “Well, I’m in charge, and you’re not, so fuck what you think and fuck your rights. Ban.” (or whatever). The way I operate is that really makes me not want to be extra friendly or courteous to people. I used to have a regular donation to Lemmy development set up, I used to take it seriously the idea of getting involved in contributing to the code, and then I observed how they operate, and … like I say I’m mostly talking to the other people involved who I think should be aware of this. If the devs want to react, fix it, or get involved in the conversation, then sure, sounds good.
The fix is in the comments below, if someone else wants to contribute it and do the very small amount of work of getting it in.
It sounds like a pull request would have been much more helpful, with much less effort. But you want it fixed less than you want it publicized, so you chose this option (even though you could have done both).
In other words, you cared less about the people impacted by this problem, and more about your own opportunity to put the author(s) on blast like this.
And you care about that opportunity so much, that it’s even worth it to show this dark side of yourself publicly.
Am I understanding that right?
Or OP is spreading the word to get it out there. Now it’s got eyes on it thanks to OPs work.
Jesus. Some of you people just want to shit on someone for doing a good thing for no reason. Have you put in a pull request yet or are you just showing your dark side on top of being a dick to OP who did something good?
One of the .ml users down below volunteered to put in the PR later tonight if no one else has, so it sounds like both bases are covered now.
There’s been a multiyear crusade to oust .ml from the Fediverse with demands that the developers relinquish their instance servers to a third party and/or stop developing Lemmy altogether. That’s not an irrelevant context here given it is usually the same routine players.
They could have done both.
If it’s not fixed by Monday, I will consider starting the approval process from the legal department that requires it from me.
I wish I had the freedom to just open a PR anywhere anytime, but I don’t.
Let’s not get carried away. Shared software systems are about more than the software. If you’re looking only at the software, and that was literally 100% of what is important here and nothing else, then yes, you’re right.
But you want it fixed less than you want it publicized
100%. Yes. Correct. I also want it fixed, but that’s completely trivial, with or without the pull request.
I think there you hit the nail on the head! Just the fact that it is in there, whether intentionally or not is something that warrants warning people about. So that in the case someone goes to set up a server, they at least know that recently there was this rather severe risk of unnecessary credential exposure, again no matter if it was intentional or not.
However, I will say that I think I would have also opened the PR, not to help the original dev necessarily, but helping those that might come to use the software later.
Let’s not get carried away.
…
Right…
Regardless of all that drama, you could have spent five minutes at anytime in the last two hours writing significantly less than you have, and putting the the request in.
You could have been done doing it in-between replies. Just saying.
You could do it to. Be the change you want to see, or be a dick. Your choice I guess.
No i have no idea how to do anything like that. OP does.
The devs have access to the source code. Why would they put something like this two layers deep into the documentation? It’s like those people that think Mozilla is evil, because Mozilla openly talks about what they’re doing. If they wanted to be evil, you would know jackshit about it.
- “This isn’t even malicious, just look at it, it’s perfectly innocent”
- “Besides, if they wanted to do something, they could disguise it way better than this”
Pick a lane, .ml.
I’ll let the hivemind know that we’re supposed to have only one opinion.
Was just gonna say. Exactly what some authoritarian boot lickers would do.
“Of course the Central Committee would have access to your instance. Why is that a problem? Are you doing something counter-revolutionary?!”
We are using their tools though…
Well, you are, while I am on PieFed:-P If you do not like what you’ve heard here, then consider switching to Piefed.World (Lemmy.World’s recently-announced PieFed replacement for Lemmy)
Oh, that’s interesting. Didn’t know about that.
I don’t think that there’s a way to list instances that a PieFed instance has defederated from, unlike Lemmy; while both have a list of instances at /instances, only Lemmy indicates which ones have been defederated from. It was a helpful tool to help me guess the sort of content an instance had.
Like:
https://lemmy.world/instances (under “Blocked Instances”)
https://piefed.world/instances
EDIT: It does show the last time that the instance sent data, and I guess you could sort of guess that if a large instance that probably has activity hasn’t sent data to the PieFed instance recently — like lemmygrad.ml and hexbear.net on piefed.world — then they’re probably defederated. But it doesn’t clearly indicate that this is the case, either.
Try asking in !piefed_meta@piefed.social , !piefed_help@piefed.social or https://codeberg.org/rimu/pyfedi/issues
I’ve only been on PieFed a month or so and they’ve already dealt with half a dozen things I’ve mentioned, from bugs to feature requests.
Why are you assuming malice when this is probably just a mistake/oversight?
Because of the way Dessalines and Nutomic consistently act?
Watch. They won’t apologize or admit wrongdoing here. They never do.
I wonder what their answer for this will be in the coming days.
Everyone here will be ml banned for five months.
And nothing of value would be lost.
Just the normal entropy of things
They fixed it.
of course they will. this is still software
before my instance went down i was gonna add on to this saying “at the very least he’d say something like ‘good catch’” and wow he did say good catch lol
Because “when someone shows you who they are, believe them the first time .”
All I see here is a mistake. If that’s unforgivable to you then so be it.
If it wasn’t .ml I would not assume malice
Lol you’re on .world, what are you on about
I’m only on .world because Kbin isn’t around anymore.
Both a strength and weakness of FOSS. There is also the solar winds hack for a proprietary analog in case anyone is curious.
Uh huh, just like how the instance/user block being horribly implemented to where it’s just a barely functional mute is just a (4 year) “oversight”.
Funny how their “oversights” just so happen to have benefits to their efforts to push authoritarianism
deleted by creator
They are even more fanatically anti - ml than their beloved ww2 nazi examples.
You can feel them foaming at the mouth.
This is fixed now.
Bruh
Now I have trust issues with open source programs.
points glock at VLC Media Player
“WHO THE FUCK DO YOU WORK FOR? TRYING TO JUMPSCARE ME?”
💥🔫
💥🔫
💥🔫
💥🔫
💥🔫
💥🔫I’m reminded of stories I’ve heard of graduate students hiding a note and some cash in the pages of their theses that they submit to the university, just to see if anyone bothers reading it and takes the cash. They return years later to find it still there.
With open source, the code is all there ready for review by anyone, as long as you have the technical knowhow and patience to review the code you use. But like reading the terms and conditions for everything we use, how many people actually take the time to go through all that code?
Quick, Louis Rossmann next! Who knows who that off the rail New Yarker will do next!
Good catch, seems like an oversight.
Oh no, the secret plot of the tankies for world domination has been unmasked!
ope, just gonna squeeze on through this minefield, dont mind me
Can you point to a repository somewhere?
--- a/docker-compose.yml 2025-07-12 00:17:33.050443300 +0000 +++ b/docker-compose.yml 2025-07-12 00:18:21.038972526 +0000 @@ -37,7 +37,7 @@ image: dessalines/lemmy-ui:0.19.12 environment: - LEMMY_UI_LEMMY_INTERNAL_HOST=lemmy:8536 - - LEMMY_UI_LEMMY_EXTERNAL_HOST=lemmy.ml + - LEMMY_UI_LEMMY_EXTERNAL_HOST={{ domain }} - LEMMY_UI_HTTPS=true volumes: - ./volumes/lemmy-ui/extra_themes:/app/extra_themesEdit: From https://github.com/LemmyNet/lemmy-docs/tree/main/assets
Thank you!
Yeah this hit me as well and it was very confusing until I found that
lemmy.mlI can’t find it on the main branch so I didn’t raise am issue
That seems like a mistake in the design of the compose file mentioned (not using the “{{ domain }}” pattern in the LEMMY_UI_LEMMY_EXTERNAL_HOST environment variable) in the docs and a case of the documentation not being explicit about what needs to be changed (they refer to that variable in the README of the Lemmy UI repo when you read about the config file mentioned in the docs).
Yeah, without a doubt, it’s just an oversight.
There’s nothing malicious here.
I should have read the docker compose a bit closer when I was trying to figure it out but There’s only so many hours in the day, and sometimes you rush.
Here is the commit https://github.com/LemmyNet/lemmy-docs/commit/b3bd2afd6af18e71048ade7e82b541ff903a5a42
It creates the docker file and updates the docs to (among other things) point to the he file, the old being https://raw.githubusercontent.com/LemmyNet/lemmy-ansible/main/templates/docker-compose.yml.
I wonder why it does not point to the main repo. The PR does not discuss the it. https://github.com/LemmyNet/lemmy-docs/pull/315
Did you use a different admin password when you did the new setup after fixing it? If not, I think you should change your admin password.
That’s right, one should. However, I’m using this only as an internal documentation tool, There’s no port forward and it’s not public. I am literally using it to take notes on a few things I’m developing.
It’s actually really nice being able to drop a whole bunch of links and have them threaded and linked between each other. It works quite well.
So it’s not in the repo, where did you get the compose? This smells like bullshit
The live docs at:
https://join-lemmy.org/docs/administration/install_docker.html
Link to:
https://raw.githubusercontent.com/LemmyNet/lemmy-docs/main/assets/docker-compose.yml
Which is what needs to be updated.
Ahhh thank you, weird indeed.
In not the OP but I hit the same issue.
I can’t find it on the main branch
Isn’t that even more suspicious?
What branch is OP’s build from if not main?
The relevant repo is:
https://github.com/LemmyNet/lemmy-docs
If you wanted to submit a PR, I think that would be a good idea. I’ve posted the patch elsewhere in the comments.
rise up against dockers and the evil empire of containerization! reproducibility! microservices! middle management! security!
/j
Yeah 100%, it’s all Docker’s fault at the end of the day
Seriously, is Docker a good thing or is it the usual hyped product that ends up being more expensive in the end? (like Amazon AWS)
Docker is a mediocre solution to a real problem. It doesn’t cost any money, it does the job, but also, it consumes lots more disk than it needs to and can’t do some things that a solution in this space really should be able to do.
If the world had decided that Nix was the way to containerize their web services and make them reproducible, the world would have been a better place, but that wasn’t what happened (yet at least).
I really wish there was a way to enforce transparency of docker env vars.
I get that it’s impossible to make it a part of docker, env vars get parsed by code and turned into variables. There is no way that docker can enforce it, cause a null/undefined check with a default value is all that would be needed to subvert checks by docker, and every language uses a different way to check env vars (eg .env files, environment init scripts, whatever).
And even then, the env var value could be passed through a ridiculous chain of assignments and checks.
And, some of those ‘get env var’ routines could be conditional. Not all projects capture all env vars during some initial routine.I’ve spent hours (maybe days) trawling through undocumented env vars trying to figure out their purpose, in order to leverage them in docker/k8s stacks.
I wish there was something.Thankfully, a bit of time spent with a FOSS project and reviewing the code does shed light on hidden env vars.
And a PR or 2 gets comments and documentation updated.
Open source is awesomeYeah, I honestly just strongly dislike the whole Docker ethos. It was designed for one thing (deployment at scale), at which it excelled, and then everyone uses it for a different thing (reproducible one-off deployment), at which it is fine, basically, but just kind of the minimum set of capabilities to get the job done.
Nix can do what Docker does, in a much superior fashion (lower disk space, much better transparency, rollback ability, lack of towering chains of follow-on effects as you are talking about, and applications outside of mucking around with containerized images), but for some reason everyone uses Docker, and Nix is as far as I can tell unused outside of NixOS.
Whatever. When they make me king, it’ll be different, that’s all I can say.
Nix and Docker / container runtimes are completely different animals. Each is good at what they do, but those are vastly different things, with some overlap. If you want to share a kernel but use fewer resources than a VM, containers can do that. If you want to go further and completely isolate, you can use microvm’s like firecracker.
I don’t follow what is wrong with that. Maybe you mean it’s use where people use it specifically as a package manager. I agree with that, but even then it has its handy place.
Maybe you mean it’s use where people use it specifically as a package manager
Precisely. Containerization is great and Docker does it well. Sending someone a reproducible script that can set up your software package for them is great. Marrying the two concepts unnecessarily and using one specific tool which is designed primarily to do the first, to instead do the second, is the only real issue I’m taking with it.
Yes, there are still some problems with the self-hosting docs
Do you have a link to the file you used which has this problem?
“Accidentally”
