Had to disable support functions because I’ve received three spammy support emails today. Thanks for that feature @prologic@twtxt.net

@bender@twtxt.net Hey, want to go in halfsies on one?

@bender@twtxt.net Oh look at that, the same problem is still happening on twtxt.net too. I tested a different link but that one gave an error. Maybe that means my pod isn’t behaving different from twtxt.net after all.

@prologic@twtxt.net I deleted a file named cache in my yarn data and restarted. Problem persists.

@prologic@twtxt.net “Refresh cache in Poderator Settings”

Is there some other way to do that?

@prologic@twtxt.net What? I compiled, updated, and restarted. If you check what my pod reports, it gives that 7a… SHA. I don’t know what that other screenshot is showing but it seems to be out of date. That was the SHA I was running before this update.

@prologic@twtxt.net Here’s a log entry:

Aug 27 15:59:43 buc yarnd[1200580]: [yarnd] 2024/08/27 15:59:43 (IP_REDACTED) "GET /external?nick=lovetocode999&uri=https://URL_REDACTED HTTP/1.1" 200 35442 14.554763ms

HTTP 200 status, not 404.

@prologic@twtxt.net This does not seem to fix the problem for me, or I’ve done something wrong. I did the following:

1. Pull the latest version from git (I have commit 7ad848, same as on twtxt.net I believe).
   
2. make build and make install
   
3. Restart yarnd
   
4. Refresh cache in Poderator Settings
   

Yet I still see these bogus /external things on my pod when I hit URLs like the one I sent you recently. When I hit such a URL with curl I think it’s giving an error? But in a web browser, the (buggy) response is the same as it was before I updated.

So, this problem is not fixed for me.

@prologic@twtxt.net Aha, now it gives an error. OK I’m updating to this to see if it fixes the issue on my pod! Thank you.

@prologic@twtxt.net I believe you are not seeing the problem I am describing.

Hit this URL in your web browser:

https://twtxt.net/external?nick=lovetocode999&uri=https://socialmphl.com/story19510368/doujin

That’s your pod. I assume you don’t have a user named lovetocode999 on your pod. Yet that URL returns HTTP status 200, and generates HTML, complete with a link to https://socialmphl.com/story19510368/doujin, which is not a twtxt feed (that’s where the twtxt.txt link goes if you click it). That link could be to anything, including porn, criminal stuff, etc, and it will appear to be coming from your twtxt.net domain.

What I am saying is that this is a bug. If there is no user lovetocode999 on the pod, hitting this URL should not return HTTP 200 status, and it should definitely not be generating valid HTML with links in it.

Edit: Oops, I misunderstood the purpose of this /external endpoint. Still, since the uri is not a yarn pod, let alone one with a user named lovetocode999 on it, I stand by the belief that URLs like this should be be generating valid HTML with links to unknown sites. Shouldn’t it be possible to construct a valid target URL from the nick and uri instead of using the pod’s /external endpoint?

@prologic@twtxt.net @bender@twtxt.net I partially agree with bender on this one I think. The way this person is abusing the /external endpoint on my pod seems to be to generate legitimate-looking HTML content for external sites, using a username that does not exist on my pod. One “semantically correct” thing to do would be to error out if that username does not exist on the pod. It’s not unlike having a mail server configured as an open relay at this point.

It would also be very helpful to give the pod administrator control over what’s being fetched this way. I don’t want people using my pod to redirect porn sites or whatever. If I could have something as simple as the ability to blacklist URLs that’d already help.

@lyse@lyse.isobeef.org Interesting. The yarnd --help currently says (for me):

  -R, --open-registrations            whether or not to have open user registgration

meaning it doesn’t give the default setting or warn you that you need to use -R=false and not -R false. It also leaves unclear whether --open-registrations false would work or if you need to do --open-registrations=false. It’s also unclear whether the setting change in the user interface is overridden by the command line arguments, overrides the command line arguments, is persisted across restarts.

Maybe all this is worth posting an issue for additional documentation on the git repo if there isn’t one already.

“registgration” is misspelled that way in the help by the way.

@lyse@lyse.isobeef.org in Australia, take everything you have learned, and do the opposite. After all, it is the land down under! :-D

@quark@ferengi.one LOL we repair everything in here 😆 … I just have a problem with trusting people with my stuff because of past experiences. “Better a half broken screen than no screen” kind of thing.

@aelaraji@aelaraji.com didn’t know there was a place to fix them; in here we toss them. Wish it was cheap to ship stuff. I have a couple of decent monitors in the garage that will soon take a trip to the curve…

@lyse@lyse.isobeef.org I have no Idea, I still haven’t found a repair shop I can trust with my monitor. As for the blackouts, they don’t have consistent frequency. Sometimes it’s once every 3 months… other times it’s 3 times a day 😂

@lyse@lyse.isobeef.org ugh, how come didn’t this occurred to me…! Oh well, I am good now, but noted. Thanks!

@abucci@anthony.buc.ci You can also use -R=false on the command line or leave it out entirely. When explicitly stating -R=false, there has to be an equal sign. With a space (-R false) it’s somehow parsed as -R which is equivalent to -R=true. O_o Very weird. I’d really like to see an error instead.

I still have to figure out the precedence of the settings.yaml or command line arguments. I’m probably holding it wrong, but it seems to give me different results…

@prologic@twtxt.net I’ve just went in a case b) on @abucci@anthony.buc.ci ’s pod, if I click on their nickname I get a Log-in page. And if I click on anyone else’s I a profile page. Is that normal?

@prologic@twtxt.net salt’em to keep them viable longer. Salt’em! :-D

@quark@ferengi.one @movq@www.uninformativ.de A general workaround in these cases is to wrap the command in a shell script and reference said script instead.

@yarn_police@twtxt.net yay! Law and order on the watch!

@movq@www.uninformativ.de Yeah, haven’t seeing the @yarn_police@twtxt.net for a while. I often wonder if we are, finally, crime free. :-D

@lyse@lyse.isobeef.org Ha, sweet thanks for this! For some reason I thought you had to do this with an environmental variable or command-line option and I didn’t think to check the settings. 🤦‍♂

@prologic@twtxt.net Ah nice, thank you! Do you think this fix is ready for me to test it or do you think I should wait til you poke at it?

@quark@ferengi.one We’re having a nice day out here, Clear sky, 26.2 °C (altough it feels like a ~30 °C) … no storms! And the most annoying thing is, THIS happens to my monitor whenever there is a power outage:

With each one a row of pixels gets chipped out … and no I can’t afford a UPS at the moment.

@movq@www.uninformativ.de woot! Yes! Perfect now. Hitting reply opens it with insert, and prompt at the end of the first line. Just as I wanted it. Thank you much!

@lyse@lyse.isobeef.org welcome! :-) I am doing my best to get more acquaintance with vi/vim. I think nano has spoiled me too much. LOL.

@movq@www.uninformativ.de hmm, I am already using au BufNewFile,BufRead jenny-posting.eml setl completefunc=jenny#CompleteMentions fo-=t wrap, from jenny. How would I go to incorporate that there?

@lyse@lyse.isobeef.org “good, good, and fascinating indeed” – says Quark, all while eating an overflowing toast with butter, and blackberry jam. :-D

@mckinley@twtxt.net Wow, I was not aware, that there are different kinds of blackberries. But of course there are. Everything has all sorts of different species, why would it be different with these tasty guys? :-)

I just read up on them and – surprise, surprise – it turns out, the Himalayans are not native to most of Europe either. Doh! It gets even more interesting, their origin is unclear. Maybe Armenia and the Caucasus region. Fascinating!

@aelaraji@aelaraji.com power outages happen here almost every single time strong storms pass by, I know the feeling mate. It truly sucks.

@yarn_police@twtxt.net I was just about to remove this feed from my config because it was stale … 😂

@movq@www.uninformativ.de hmm, I guess I could do that too. I have startinsert set on my .vimrc, so I will either have to take it out, or exit insert, $, then insert again. I think the way you do it would be the way to go.

I tried setting VISUAL to be something like vim -c 'star!', which does the same thing, but no dice. :-/

@abucci@anthony.buc.ci Thank you for using Lyse’s Unofficial Yarnd Help Desk: https://lyse.isobeef.org/tmp/yarnd-disable-registrations.png

Today, I learned about vim "+normal $", how cool! :-) Thanks @quark@ferengi.one!

@movq@www.uninformativ.de, maybe you can help me with this. I want to place the vim cursor at the end of the first line on replies, and forks. I have tried adding to this to jenny’s configuration:

"editor": "vim \"+normal $\"",

But that doesn’t work. How would you go about it?

@prologic@twtxt.net sounds fair. Let’s see how it works for @abucci@anthony.buc.ci. Speedy fix, that’s awesome! :-)

@prologic@twtxt.net Yeah, but the thing is, I don’t even remember when/how/why I got to bed yesterday 😅

/ME is confused.

@movq@www.uninformativ.de Now, the Question is: Who’s body was in the garbage bag!? 😏😂

@bender@twtxt.net and I saw some conspiracy theory that he knew he was going to be arrested. He was working with French intelligence on a plea deal to defect. And now Russia is freaking out that Ukraine allies can have war comms access.

Yikes! If only they had salty.im!

There is a bug in yarnd that’s been around for awhile and is still present in the current version I’m running that lets a person hit a constructed URL like

YOUR_POD/external?nick=lovetocode999&uri=https://socialmphl.com/story19510368/doujin

and see a legitimate-looking page on YOUR_POD, with an HTTP code 200 (success). From that fake page you can even follow an external feed. Try it yourself, replacing “YOUR_POD” with the URL of any yarnd pod you know. Try following the feed.

I think URLs like this should return errors. They should not render HTML, nor produce legitimate-looking pages. This mechanism is ripe for DDoS attacks. My pod gets roughly 70,000 hits per day to URLs like this. Many are porn or other types of content I do not want. At this point, if it’s not fixed soon I am going to have to shut down my pod. @prologic@twtxt.net please have a look.

@mckinley@twtxt.net He’s signed up three times now even though I keep deleting the account, which is enough for me to permaban this person. I don’t technically want open registrations on my pod but up till now I’ve been too lazy to figure out how to turn them off and actually do that, and there hasn’t been a pressing need. I may have to now.

@movq@www.uninformativ.de is there a way to purge twtxts from a feed I no longer follow?

@movq@www.uninformativ.de, using the branch on topic right now, it works perfect. The only thing I found was that I had to quit neomutt, and re-open, to see the perfect thread. Other than that, I love it!

@bender@twtxt.net hmm, I wonder if these are simply twtxts auto created from an ActivityPub feed. Ah, crap, they are. LOL.

Because I saw the nick on movq (@prologic@twtxt.net, can’t mention anyone outside this pod, by the way), I looked the user up: https://tilde.pt/~marado/twtxt.txt. I wonder if the “hashes” they are using will work out of the box with jenny.

Talking about jenny, going to play with the latest now. Tata! :-)

@support@anthony.buc.ci No. Try this again and I nuke your IP.

👋 Hello @nigergibe@anthony.buc.ci, welcome to Buccipod, a Yarn.social Pod! To get started you may want to check out the pod’s Discover feed to find users to follow and interact with. To follow new users, use the ⨁ Follow button on their profile page or use the Follow form and enter a Twtxt URL. You may also find other feeds of interest via Feeds. Welcome! 🤗

@support@anthony.buc.ci Nope.