Bug reports on any software

70 readers
6 users here now

When a bug tracker is inside the exclusive walled-gardens of MS Github or Gitlab.com, and you cannot or will not enter, where do you file your bug report? Here, of course. This is a refuge where you can report bugs that are otherwise unreportable due to technical or ethical constraints.

⚠of course there are no guarantees it will be seen by anyone relevant. Hopefully some kind souls will volunteer to proxy the reports.

founded 3 years ago
MODERATORS
1
 
 

This post was composed with a link to a Wired article:

https://lemmy.ohaa.xyz/post/1939209

Then in a separate step, the article was edited and an image was uploaded. The URL of the local image unexpectedly replaced the URL of the article. Luckily I noticed the problem before losing track of the article URL.

2
 
 

I’m very grateful that #AnonymousOverflow exists and was already in place to give us refuge when #Stackexchange et al returned to #Cloudflare’s jail. I use this search service because it automatically integrates (SE→AO) replacement:

https://search.fabiomanganiello.com/search

A search led to this thread:

https://overflow.manganiello.tech/exchange/tex/questions/225027/how-to-create-new-font-which-is-thicker-version-of-computer-modern

The three links in the itemized links all point to Stackexchange, which puts the exclusion problem back in our face -- for those who are blocked from Cloudflare. Anonymous Overflow (AO) should eat its own #dogFood. Like the fabiomanganiello search service, AO should replace SE links with AO links within SE pages.

Yes, it may be a bit tricky because AO has a number of instances which go up and down. The onion ones are quite flaky. In principle, SE links should be replaced with the same instance the article is viewed on.

This #bug is posted here because the bug tracker is exclusively on MS #Github:

https://github.com/httpjamesm/AnonymousOverflow

3
 
 

Normally it’s possible to import comments into the Sopuli timeline by querying on URLs of external comments that are not yet local. Thereafter, it’s possible to interact with imported msgs.

But when I linked to an external comment (https://jlai.lu/comment/5309447) in this thread, and then later queried the URL of the comment, the search stops upon finding my own local mention of that comment. If the search feature is going to stop upon finding local results, then there needs to be a “go deeper” button, or an “import” button to give a means to import a comment.

As a consequence of this bug, I cannot reply to https://jlai.lu/comment/5309447 from Sopuli.

Also notable is if the search category is narrowed from “ALL” to “URL”, nothing results.

#LemmyBug

4
 
 

I posted this thread on jlai.lu. I got no replies as far as I could see from sopuli -- no notifications, and when I enter that thread there are still zero replies. But when I visit the thread on the hosting instance, I see a reply. This behavior is the same as if I were blocking that community -- but I am not.

When I search in sopuli for the direct link to the comment, the search finds it. And then I was able to forcibly interact with the comment.

I have to wonder how often someone replies to me and I have no idea because the response is hidden from me. This is a serious bug. Wholly unacceptable for a platform designed specifically for communication.

update 1 (another occurrence)


Here’s another thread with the same issue. Zero replies when I visit that thread mirror within sopuli, but 3 replies when visiting direct. I was disappointed that high-effort post got no replies. Now 2 months later I see there actually were replies. I will search those comment URLs perhaps in a couple days to interact. But I’ll hold off in case someone wants to investigate (because I think the act of searching those URLs results in copying the comments which could interfere with the investigation).

update 2 (subscription relevancy)


I was asked if I am subscribed to the community. Good question! The answer is no, so there’s a clue. Perhaps mentions do not trigger notifications if no one on the instance of the mentioned account is subscribed to the community. This could be the root cause of the bug.

#LemmyBug

5
 
 

Kensanata’s mastodon-archive tool was originally working as expected to archive posts from eattherich.club. Then out of the blue one day it started printing this:

Loading existing archive: eattherich.club.user.bob.json
Get user info
Get new statusesTraceback (most recent call last):
00] STDIN                                           File "/usr/lib/python3/dist-packages/mastodon-archive/mastodon-archive.py", line 5, in <module>
▏
Seen 10 duplicates, stopping now.
Use --no-stopping to prevent this.
Added a total of 25 new items
Get new favourites    mastodon_archive.main()
                                               File "/usr/lib/python3/dist-packages/mastodon-archive/mastodon_archive/__init__.py", line 333, in main
             args.command(args)
                                 File "/usr/lib/python3/dist-packages/mastodon-archive/mastodon_archive/archive.py", line 148, in archive
▏
Seen 10 duplicates, stopping now.
Use --no-stopping to prevent this.
Added a total of 7 new items
Get bookmarks (this may take a while)    bookmarks = mastodon.bookmarks()
                                                                           File "<decorator-gen-59>", line 2, in bookmarks
                                                                                                                            File "/usr/lib/python3/dist-packages/mastodon/Mastodon.py", line 96, in wrapper
                                                                   raise MastodonVersionError("Version check failed (Need version " + version + ")")
        mastodon.Mastodon.MastodonVersionError: Version check failed (Need version 3.1.0)

The count of new items never resets to zero. It should go back to zero after every fetch, so this implies fetching no longer occurs (or at least it no longer finishes). The current version of eattherich.club is Mastdoon v4.2.5. Not sure if a version upgrade would be related. Other Mastodon instances do not have this issue.

The bug tracker is on MS Github, thus out of reach for me:

https://github.com/kensanata/mastodon-archive/issues

6
 
 

The flagship instance for Matrix demonstrates the use of Cloudflare, which was found to be necessary to defend against DoS attacks. This CaaC (Cloudflare-as-a-Crutch) design has many pitfalls & problems, including but not limited to:

  • digital exclusion (Cloudflare is a walled garden that excludes some groups of people)
  • supports a privacy hostile tech giant
  • adds to growth and dominance of an oppressive force
  • exposes metadata to a privacy offender without the knowledge and consent of participants
  • reflects negatively on the competence, integrity, and digital rights values of Matrix creators
  • creates a needless dependency on a tech giant

#CaaC needs to be replaced with a #securityByDesign approach. Countermeasures need to be baked into the system, not bolted on. The protocol should support mechanisms such as:

  • rate limiting/tar pitting
  • proof-of-work with variable levels of work and a prioritization of traffic that’s proportional to the level of work, which can be enabled on demand and generally upon crossing a load threshold.
  • security cookie tokens to prioritize traffic of trusted participants

Sadly, #Matrix is aligned with another nefarious tech giant, and has jailed its project in Microsoft Github. And worse, they have a complex process for filing bugs/enhancements against the spec:

https://github.com/matrix-org/matrix-spec-proposals/blob/main/README.md

Hence why this bug report is posted here.

7
 
 

When the posts of a malicious user are deleted in bulk, each comment that is removed is replaced with “removed by mod”. This implies that the mod of that particular community removed that particular comment. The modlog of that channel does not account for the removal, so there is no traceability or way for users to check whether they have an overly ambitious mod.

When a bulk removal is performed, the replaced comment should be more transparent. It should say “comment removed in bulk cleanup of malicious user’s content” and it should link to whatever modlog might capture it.

8
 
 

cross-posted from: https://slrpnk.net/post/6002564

I wanted to see the image size for this post before deciding to download the image. Normally curl -i returns a “content-length”, but not in this case:

$ curl -i 'https://slrpnk.net/pictrs/image/67127e8e-52ef-42ad-bf39-424b9052ef90.webp'
HTTP/2 200 
server: nginx
date: Mon, 22 Jan 2024 09:56:56 GMT
content-type: image/webp
last-modified: Sat, 20 Jan 2024 16:24:40 GMT
vary: Origin, Access-Control-Request-Method, Access-Control-Request-Headers
access-control-expose-headers: last-modified, content-type, accept-ranges, date, cache-control, transfer-encoding
cache-control: public, max-age=604800, immutable
accept-ranges: bytes
strict-transport-security: max-age=63072000
referrer-policy: same-origin
x-content-type-options: nosniff
x-frame-options: DENY
x-xss-protection: 1; mode=block

Seems like a bug, no?

9
 
 

When viewing a timeline in #Lemmy, the count of responses will show “(1 new)” immediately after you add a reply to someone.

We don’t really care what’s new; we care how many comments are unseen which cannot include our own comments.

#LemmyBug

/cc @[email protected]

10
1
submitted 10 months ago* (last edited 10 months ago) by [email protected] to c/[email protected]
 
 

Some Lemmy instances (e.g. Beehaw) do not support down votes. When an instance does support down-votes, authors often get zero feedback with the down votes which ultimately supports obtuse expression, shenanigans and haters. The status quo suffers from these problems:

  • down voters do not need to read the comment they are down voting
  • down votes empower non-moderators to suppress comments and posts
  • some communities struggle to get content because of some malicious down voters who down vote every post to discourage activity and effectively sabotage the community; voting privacy shields malicious down-voters from discovery and supports their attack
  • silent down votes are non-constructive
  • some people make heavy use of down votes to suppress civil comments purely because of disagreement; other (more civil) users only use down votes to suppress uncivil dialog. This inequality ultimately manifests to reduce civility.
  • transparency: kids and adults are accessing the same forums and adults are blind as to whether down votes are coming from kids (the rationale can reveal this)

The fix:

An instance admin should be able to flip a switch that requires every down vote to collect a 1-line rationale from the voter. These one-liners should be visible to everyone on a separate page. Upvotes do not need rationale. So instance owners should have 3 configuration options:

  • down votes disabled (beehaw)
  • down votes require rationale (proposed)
  • down votes out of control (the most common status quo)

Perhaps overkill, but it might be useful if a moderator can cancel or suppress uncivil down votes.


BTW, the reason this enhancement request is not in the official bug trackers:

  • Lemmy’s bug tracker is in MS Github (#deleteGithub)
  • Kbin’s bug tracker is on codeberg, who silently deleted my account without warning or reason, and #Codeberg reg forces a graphical CAPTCHA (which fails on my non-graphical browser).

#lemmyBug #KbinBug

/cc @[email protected] @[email protected]

11
 
 

It would be useful to have more refined control over participation in a group. Someone should be able to create a group that gives permissions to specific individuals. A variety of permissions would be useful:

  • permission to see that a community/mag exists (some groups may or may not want to be listed in searchable a public directory)
  • permission to read the posts in a community/mag
  • permission to vote in the community/mag
  • permission to start a new thread in the community/mag
  • permission to comment on an existing thread in the community/mag

A forum creator should be able to set the above perms on:

  • individual accounts
  • all users on an instance (e.g. users on an instance @weH8privacy.com might be unfit for voting and writing comments in the community “fightForPrivacy”)
  • all users not on an instance (e.g. local users only for example)
  • instance IP-based (e.g. users from Cloudflared instances might be unfit to participate in a group called “decentralizationAdvocacy”)

Settings for individuals should override instance-specific settings. So e.g. a “fightForPrivacy” forum might allow all forms of participation from an instance stop1984.org, but if [email protected] is uncivil, a mod should be able to block all inputs from that user yet perhaps still allow antiprivacyMallory to just read the posts on the off chance of influencing the user to be more civil through exposure to civil chatter.

More background on the rationale - why the fedi needs this (click to expand)The fedi has undergone a huge flood of new users, largely moderates from Twitter. The moderates dilute movements.

Consider the evolution of raves and Burning Man. The beginning was a rich subculture that briefly evolved in isolation apart from the ordinary world. These subcultures became more enriched within their own world whereby the core ideas spawned more culture. Then word got out and spread like brush fire. Masses of uninitiated crowds flooded into raves and Burning Man faster than they could be integrated. Commercialization took hold faster than people could be integrated. The scene became diluted with clubbers and conservatives who essentially turned raves into clubs. The way to promote raves that resembled the original experience was to selectively flyer party goers who overtly embraced the experience, who were not merely there to be seen. IOW, the fix was invite-only events.

The flood of moderates into the fedi has crippled the decentralization movement and corrupted the vision. The fedi is now swamped with people from huge instances that are centralized on Cloudflare (lemmy.world, sh.itjust.works, lemmy.ca, lemm.ee, programming.dev, zerobytes.monster) and lemmy.ml. People without a firm grasp on the meaning, purpose, and benefits of decentralization and privacy still find their way into “privacy” communities and make foolish remarks (e.g. not sharing personal correspondence with Google and Microsoft “is tinfoil-hattery”). Sure, it’s favorable that the “I have nothing to hide” crowd intermingle with more sophisticated privacy-aware folks. It’s important that there be a venue where ignorance can be reversed. But--

Moderates are a drag on activism. A “PrivacyAction” forum does not benefit from a mob of idiots who see those practicing established infosec principles as “tinfoil hat” nutters to heckle. Security-wise people with infosec degrees naturally and unavoidably appear “paranoid” to normies. These normies and hecklers can only get in the way in a workshop-centric forum with the mission of strategizing activist movements and protests. Fair enough if a “climate” forum has climate deniers butting heads with those who accept the climate-relevant science. That dialog is needed. But we don’t want climate deniers in a “climate ACTION” forum. They are only there to dilute and sabotage.. to side-track the discussion. A workshop is not interested in rhetoric from those who oppose their mission.

So the status quo of #Lemmy and #Kbin disservices activism.


Workaround 1 (Lemmy only):

Make an announcement community and make all participants a moderator. Bit crazy unless you really trust everyone involved.

Workaround 2 (Lemmy):

One community per instance using instance-specific registration control. Still too blunt, cumbersome, excludes mods who don’t have their own instance.

Question

Sometimes I click to subscribe to a community which then goes into a “subscription pending” state. What does that mean? As a moderator of some groups I never receive a signal that someone is requesting to subscribe.


BTW, the reason this enhancement request is not in the official bug trackers:

  • Lemmy’s bug tracker is in MS Github (#deleteGithub)
  • Kbin’s bug tracker is on codeberg, who silently deleted my account without warning or reason, and #Codeberg reg forces a graphical CAPTCHA (which fails on my non-graphical browser).

#lemmyBug #KbinBug

/cc @[email protected] @[email protected]

12
 
 

When visiting this link:

http://web.archive.org/web/https://www.businessinsider.nl/cloudflare-ceo-suggests-people-who-report-online-abuse-use-fake-names-2017-5

the #WaybackMachine said the page is not archived. But in fact it was (and still is) here:

https://web.archive.org/web/20171024040313/www.businessinsider.com/cloudflare-ceo-suggests-people-who-report-online-abuse-use-fake-names-2017-5

This attribute got added to the end of the URL at one point in the process: ?international=true&r=US so it seems the #WaybackMachine is not wise about useless parameters. Perhaps it’s too complex for it to drop params and compare.

13
 
 

If you try to download video lU4vv7qCQvg on a variety of #Invidious instances, some (most?) redirect you to a realtime player instead of serving up the file. Those instances that cause the wrong action work correctly for other videos.

works → https://invidious.fdn.fr/watch?v=lU4vv7qCQvg

broken → https://iv.ggtyler.dev/watch?v=lU4vv7qCQvg

14
 
 

This app requires root but is not tagged as such:

http://fdroidorg6cooksyluodepej4erfctzk7rrjpjbbr6wx24jh3lqyfwyd.onion/en/packages/com.slash.batterychargelimit/index.html.en

Cannot report this bug via the official bug tracker for #Fdroid because the bug tracker is Cloudflare-jailed on github·com.

15
 
 

Some popups can be disabled in the user settings simply by waiving your option to confirm (e.g. to confirm deletes). But if for example you want to add a text description to an image you’ve attached, you cannot.

There should be a global user config option that says “do not use popups for anything”, and users should have the option of getting their dialog boxes in a way that does not clash with popup blockers.

16
 
 

So Bob replies to Alice, who then reads the msg and marks it as read. Then Bob makes some significant changes to the msg like adding lots of useful information that further answers Alice’s question. Alice gets no notification that the reply was updated.

For comparison, note that Mastodon (at least some versions) notify you upon edits of msgs that you were previously notified on.

17
 
 

Title says all. You can be in the middle of a lengthy response to someone, and if you click to vote their post up or down, everything you just typed is lost & non-recoverable. Yikes!

18
 
 

One of the bare minimum quality standards an official Debian app must have for admission into official Debian repos is that it must have a man page. Dino (the XMPP app) does not. This also means if users query to know what XMPP apps are installed by running “man -k xmpp”, there is no mention of dino-im.

The bug tracker for the Dino project is exclusively on Github, so this bug is reported here.

19
 
 

I think a great use case for this Community would be to ask other people to interact with projects on Github/Gitlab on their behalf, and report back the link to new issues or issue comments to the Community.

The URL attached to this post is an example of that, where Pilou created an issue in the Gitea tracker on behalf of Loïc who does not have a Github account for ethical reasons.

(Gitea is still on Github, but they intend to dogfood their own code forge any time soon. The issue Pilou created deals with adding ForgeFed-based federation support to Gitea. See this issue for details. FedeProxy community is trying to speed this up, by arranging funding).

20
 
 

Debian Bullseye has dropped libraries that electron-based apps depend on. Consequently, Electronmail and the Wire app are both broken in Debian Bullseye.

The underlying issue is documented here:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895037

Debian developers will never know about the impact specifically on Electronmail and the Wire app because they are not in the official debian repos.

Both apps are managed exclusively in MS Github. Hence why this bug report is here.