Asklemmy

43494 readers

1362 users here now

A loosely moderated place to ask open-ended questions

Search asklemmy 🔍

If your post meets the following criteria, it's welcome here!

Open-ended question
Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
Not ad nauseam inducing: please make sure it is a question that would be new to most members
An actual topic of discussion

Looking for support?

Looking for a community?

Lemmyverse: community search
sub.rehab: maps old subreddits to fediverse options, marks official as such
!lemmy411@lemmy.ca: a community for finding communities

~Icon~ ~by~ ~@Double_A@discuss.tchncs.de~

founded 5 years ago

MODERATORS

257

What's the benefit of using Kbin over Lemmy? (feddit.nl)

submitted 1 year ago by UnanimousStargazer@feddit.nl to c/asklemmy@lemmy.ml

144 comments fedilink hide all child comments

I see a very small minority of people using Kbin, but I don't understand why.

Is this just a coincidence and did some people choose Kbin over Lemmy or is there a good reason to use Kbin?

you are viewing a single comment's thread
view the rest of the comments

[–] Swedneck@discuss.tchncs.de 3 points 1 year ago (1 children)

but that's not the fault of the UI, that's the fault of the server and/or operator for allowing something like that to be even theoretically possible in the first place.

This is why you place UIs on separate domains from the servers, and always treat user input like it's radioactive AND toxic.

[–] freeman@lemmy.pub 8 points 1 year ago (1 children)

The custom emoji's was a developed feature of Lemmy pushed out in their UI code. Even the project mainters instance was affected. Its why 0.18.2 was released.

https://join-lemmy.org/news/2023-07-11_-_Lemmy_Release_v0.18.2

Thats not on server/infra operators. It was a vuln in the core UI code. Some operators DID patch it themselves (i think Beehaw is one), others were less affected (ie: My instance is closed and i dont use custom emjis anyhow), but those are features introduced by the maintainers and some of the bigger instances would get requests for them anyhow. So it was a problem.

[–] Swedneck@discuss.tchncs.de 1 points 1 year ago (1 children)

but the fundamental vulnerability is not in the UI, by that logic you could just run your own UI and get into servers without issue, the vulnerability is always in either the server software or in the specific deployment.

[–] snowe@programming.dev 1 points 1 year ago (1 children)

The vulnerability was in the ui.

[–] Swedneck@discuss.tchncs.de 1 points 1 year ago (1 children)

again, that makes no sense whatsoever, by that logic anyone can just merrily wreak havoc by using a client specially made to have vulnerabilities.

[–] snowe@programming.dev 1 points 1 year ago

It was a csrf issue. The vulnerability isn’t on the attackers side, it’s on the user’s side. I’m telling you this as the owner of the instance. I’m sorry, but you are wrong here.