True. It might have been better though if the Lemmy devs hadn’t been such cheapskates and forked over the 10 bucks it takes to get a domain name that isn’t sketchy.
The parent domain was apparently well known to be a common host of phishing domains and scam sites. Free domains tend to attract those types, so that’s a good reason from the start not to use that if you want your site to be reliably accessible and findable on search engines.
.be and .to are free to use by anyone as set by the respective countries registrars, anyone that registers a .it domain outside of Europe is just asking for trouble
Maybe. I read the idea about it standing for Marxist/Leninist, but there’s thousands of TLDs now - if you can get .diamonds and .world, there’s probably something that would evoke the same lefty idea (although maybe lemmy pre-dates the new domains, I don’t know)
lemmy.ml was a sort of prototype made by the devs of the lemmy software. It wasn’t really meant for widespread public adoption. So it makes sense that they went with a free domain.
@freamon Agreed, it's a silver lining post, for sure.
But generally I find people say "you see, this is why the Fediverse/Lemmy/Mastodon etc will never take off" for every blip of bad news or whatever. But in reality, while the news sucks for .ml servers, it highlights the resiliency of the Fediverse - which is a win.
And better to happen in the early days of Lemmy than when/if it got much bigger.
You say that as though there’s some kind of crystal ball we can all look into and see all of the obstacles that will need to be cleared and prepare accordingly. That’s not how scaling web services works, especially distributed ones that are built on a relatively new protocol.
A domain takedown was never able to shut a server down, not even with centralized servers. Most big services are accessible via multiple domains of different countries, and this would just disable one of them. But for the Fediverse that means that they also “disabled” an entire instance with all its users.
This actually shows us that relying on domains can be a problem for the Fediverse! Imo we need to upgrade the federation protocol to be able to handle these things, like propagating a domain change or migrating accounts to other instances.
Because you need a way to be reachable over HTTPS for other instances to be able to securely send you updates (new posts/comments/votes etc.), so you need a trusted certificate. While HTTPS does not strictly require a domain name^1^ it vastly simplifies the process.
^1^: It’s possible to get a trusted certificate for an IP address, but not nearly as easy as getting one for a domain. And it’s probably also more expensive than just getting a domain and using Let’s Encrypt to get a certificate.
Feels like this is the core key to be changed. Something like Debian’s packaging system for example, which doesn’t even need the Debian domain to be HTTPS.
Dunno the exacts, but why not the good ol’ GPG? You only need to be able to exchange keys out-of-band once, and it saves you from lots of other issues. Trust between Alice and Brian is a between-them thing, and should not depend on a thrid party like Caroline arbitrarily deciding to change Brian’s legal name to Brandon.
Debian packages are signed individually, and usually people also don’t see downloading Debian packages as potentially privacy-sensitive, so plain download is acceptable.
For lemmy where user accounts are involved, and in general as a new protocol designed in the age of HTTPS, it makes sense to require HTTPS.
This is one of the problems with using country TLDs. They look cute, but when you buy it, you may not realize who controls it. Lemm.ee is similarly in a precarious position.
I really wish we could all agree to stop using country TLDs for this
For .ca specifically: as long as you are a Canadian individual, or have a sufficient connection to Canada, or a Corp with a trademark registered in Canada then you are qualified to own that domain - but as to who is really checking I have no idea… CIRA complainants maybe?
@renwillis I'm not so sure this is a "win", since the Fediverse wasn't specifically targeted by any entity involved to begin with. If anything, it's just a straight-up loss to the communities that have to reassemble themselves under a new domain again, many of whom were probably mostly new users to the Fediverse to begin with, and are likely to be turned off by this experience. If anything, this just exposes that the Fediverse is significantly sustained by flimsy, free/cheap platforms that are vulnerable to disappearing without any notice. That doesn't exactly instill faith.
I could also get hot by lightning there times a day but I don’t optimize for it. This is a lol and definitely points back to how shitty personal servers may be. I for one hope a .org starts a monitizartion scheme, deals with the privacy issues this community blatantly ignores, and hires some professionals who actually know what they are doing.
@renwillis The Fediverse is more than just the collective network. It's also the individual communities, some of which no longer exist right now. Those communities are now scrambling to figure out what to do.
Yes, the whole of the Fediverse is just fine. But the overall health of the Fediverse relies heavily on the health of individual communities.
I do kinda agree, this isn’t great for general adoption but it’s a vital learning curve and hopefully smart people in the community will help develop ways to avoid it going forward and tools to fix it when it does happen
If this is a loss, a loss compared to what? Centralised servers? If Lemmy was a centralised server, this would’ve taken the whole site down. As another commenter mentioned, if the US government decides take Reddit down, the whole service would be lost. But in the Fediverse no single government can stop it.
Another example is when lemmy.world was attacked. All other instances and the custom clients continued to work. If you say this is a bad look, what’s a good look in your opinion? All of Lemmy going down at the same time? If centralised services deploy techniques to keep their services stable (horizontal scaling, regional mirrors etc.), Fediverse apps can use all of those techniques plus then some.
Lemmy as a whole not being hurt even if some domains are gone is the entire point of being decentralized. But yeah, it’s really bad that communities made there will also be gone as it is now.
We need user and community migration like Mastodon has, and quick.
Counterpoint: the generic communities being hosted on Lemmy.ml (an instance with a very strong political identity) simply because it was oldest was a real risk for the growth of Lemmy as a whole and this is a fantastic opportunity to rebuild those core communities on more generic Instances like Lemmy.world.
Eh, it’ll probably just bounce back tbh. With something this big, lemmy.ml can probably convince other fedi admins to migrate everyone’s subscriptions over
lmfao, frickin seriously? you’re gonna build up an instance where the domain is part of all of your users’ identities and you’re not even gonna spend the $10/yr to keep that solid? with how much time goes into running a lemmy instance and not getting overrun by bots, that’s an absolutely ridiculous assignment of resources
You have to remember that until recently, there was sub 100 daily users, this wasn’t a big platform, and it wasn’t just lemmy.ml, but a bunch of <10 user instances.
It wasn’t worth paying for a small side project until it wasn’t and at that point it was too late, plus who would have predicted that the gov of Mali would forcefully take back all of their domains?
i mean, good point on the project size, but buying a domain is honestly such a basic thing that it still feels like a weird result on that equation to me. for fmhy.ml, specifically, i understand their choice, since pirate sites do tend to be quite nomadic with their domains, and the fediverse being so domain-specific is a new thing.
still, domains are hella cheap. the $10/yr figure i quoted is for a “serious” one on one of the major tlds, you can get away with much less if you’re willing to go for a somewhat more niche but still reputable one. especially one that’s longer than two characters.
I’ve owned a .com domain for over a decade, ever since BEFORE I actually had a job and was living on allowances, and it still doesn’t register as an expense to me.
The content I host on that domain has been used by 3 different people tops, which is me and a couple of my friends. It’s still worth it.
If I were to build a public-facing service I’d certainly fork over the bare minimum to guarantee that it fucking stays up even if I don’t expect thousands of users. It’s just a matter of doing things properly. Free domains have always been sketchy as fuck, every scam ever was hosted on a .tk domain at some point.
But as it has been stated multiple times already, the only reason they actually went with “.ml” is because they thought it would be funny for the marxist-leninist association. That’s literally it. It’s not about money. Anyone with access to a dev machine has 10 dollars a year to spend or they wouldn’t be shitposting on the internet.
You underestimate how different some people’s situations and priorities can be. For us, it’s forking 10-20 USD (not a big sum of money) once a year by credit card (which isn’t hard to obtain).
There are parts of the world with dire financial situations or simply outdated systrms that don’t offer easy access to electric or international payments. There will be devs wanting to experiment with web services, but for them it isn’t simply “forking over the bare minimum”.
I won’t reveal my location just for the sake of an internet discussion, but I lived in a country (It’s not exactly a “3rd world shithole”, but not a developed one either) where until around five to ten years ago or so getting a bank account with ‘credit card’ meant you ‘made it’.
Why? If you weren’t lucky and wanted to pay for something international, you needed a friend with the aforementioned credit card to do the transaction on our behalf. Buying on Amazon? Better make it worth before bothering our friend there. What if I wanted games on steam? The friend with credit card, or use an intermediary that charges an extra before they ‘gift’ the purchased game. And so on.
Now it has gotten much better, as fintech apps filled the gap offering virtual visa or mastercard payments, and the banks themselves started offering credit cards with lower quotas, but you have to remember that it wasn’t available until a couple of years ago, or even still out of reach for some.
So what if you’re a developer with no affordable access to international tx and want to experiment regardless? You find the ones that don’t require payment.
I get a little over 10 dollars a day. Also, while my country has an excellent, free system for internal financial transactions, any international transaction will be (a) complicated and (b) expensive.
I’m not saying I wouldn’t pay USD1USD0 for a website, but I sure wouldn’t do it for a hobby one.
Even worse, the free .ml domain is not actually yours when you get it for free, but actually owned by the company that previously managed the .ml domain. I suspect Mali government has reclaimed all those free domain registrations now that the contract with the company has been expired. The .ml domains that still up was probably paid domain and Mali government are probably still honoring the contract.
At the time you get .ml free, .TK, .GA, .CF, .GQ were also available for free (they ended up all being used by spam advertisers, so those domains get marked ‘suspicious’ a lot)
I think a lot of them were tankies who thought it was cool to have ML in their domain name. They have lemmy.ml and lemmygrad.ml iirc. Honestly I don’t know whether to be happy those communities took a hit or sad that I might lose one way of identifying and avoiding auth-left instances.
I might be unaware of some technical issues here but why not just get another domain, point it at the server, then update the database to change all references to lemmy.ml to thenewdomain.tld and then make an announcement on a couple of the bigger instances? Federation will take care of propagating the news far and wide. Then, as users hear the news they can just login using the same details and those of us subscribed to Communities on .ml can just update our subscriptions.
I mean, it’s not a perfect solution but it’ll work, surely?
It’s my understanding that this isn’t possible. Migrating domains in Lemmy is not supported though it is possible with some very hacky solutions like you’re describing. But the old domain needs to be retained indefinitely as a pointer to the new domain or it will break federation with other instances. If they lose control of the domain or can’t keep it basically forever then federation will break. They can potentially migrate users and posts, but it is effectively like resetting and starting over as a new instance.
Right, but if Mali do reclaim all the .ml domains out there then there’s little option? Yes, federation will break for .ml and yes it’ll be like starting over on a fresh instance but only in terms of federation - all the users, communities, posts and comments will still exist, just under a new domain. Once the new domain starts federating people will catch on, especially if the news is posted on the larger instances.
Don’t get me wrong, I’m not saying its not a problem, I’m just not sure its a total disaster either.
The problem is with the federation. Other instances will try to federate with the old domain and won’t recognize the new domain. Simply changing your domain will not update federation in other instances. AFAIK work is still underway to allow migrating to a new domain and allow other instance to recognize the domain change.
ActivityPub uses URLs as IDs for everything. And there’s no way to update those IDs, it’s possible to update inbox URLs and other things but the main address of the object itself is its URL and thus there’s no way to propagate it without essentially making a new one.
It’s not impossible to do, but managing to get that to federate to all instances in a sane way is not currently possible.
There’s a ridiculous amount of URLs in the database and even fixing all of those won’t fully do the job, as post content might still refer to the old URL and whatnot.
It’s a messy situation, you’re not supposed to lose your domain.
That seems like an ActivityPub problem, not a problem with the admin who lost the domain. Perhaps somebody should fix dumbass design flaws to the protocol.
Federations won’t survive with obvious flaws like that. It needs resilienacy.
You’ll have to go complain directly to the W3C for that. The situation is Lemmy may fix it with some custom protocol extensions, but then it’ll still break every other piece of software that follows the spec like Mastodon, Kbin and others.
It’s like adding a 6xx status to HTTP. You technically can, but expect every standard compliant clients to be confused and bail on it.
You can’t just change domains with emails either and have everything seemlessly migrate over. Not losing a domain is not a completely unreasonable assumption to make.
Thankfully the users and communities aren’t lost, it’s just that people outside of fmhy will have to resubscribe to the communities on the new domain.
There’s definitely better ways to handle this, like, the ID could be a public key or something. Chances of RSA/EC key conflicts is basically nonexistent or we wouldn’t use them.
But it’s the W3C, of course they assume URLs can and will be permanent. Your domain being seized is not something typical companies and organizations face. It’s something you expect to happen to a site hosting piracy and other illegal content, which FMHY is somewhat borderline with its piracy guides.
ActivityPub is not designed to be any sort of censorship resistant for sites that move addresses and servers frequently.
Who was the idiot that decided to use for a database ID an identifier that almost entirely depends on external (and, for fediverse purposes, usually antagonistic) entities?
The W3C, apparently. It’s both the ID and the URL of the object if you want to refresh it. They seem to suggest doing it that way because the URL of a user profile is going to be guaranteed to be unique, and can only be owned by the owner of the domain.
Lemmy assigns it its own internal ID per instance but it’s only used internally for joins and stuff.
For example, your person ID is feddit.cl/u/nintendiator. If you curl it in ActivityPub format you’ll get your user:
They seem to suggest doing it that way because the URL of a user profile is going to be guaranteed to be unique, and can only be owned by the owner of the domain.
Immediate design issue right there: the URL of a user profile is not guaranteed to be unique, and while it can “”“only”“” be owned by the owner of the domain, 1.- it’s not owned by the user of the profile and 2.- the ownership by the domain owner is revocable by a third party.
Design-wise, it feels to me like they decided that land / house deeds could be certified by municipal traffic signage.
The W3C, also known as the people who develop the web standards. It’s a reasonable expectation as you have to draw a line in the sand somewhere. Distributed identity is not a solved problem, so domains are the best solution we have right now.
What would you suggest they use as the identifier with which allows other entities uniquely identity you? There are no alternatives until you introduce a ton of cryptography, which is what DID hopes to address, but that’s still going to be bad UX.
The W3C, also known as the people who develop the web standards
Figures. The same people who added DRM to the web standards.
Now, I don’t know what other alternatives could have been used, but I know that URL was among the obvious ones to not use. Something that uniquely identifies you has to be non-transitive and non-revocable by a third party, of which URLs are neither (domain names are revocable, URLs don’t have addressing persistence let alone when you add query strings into the mix, etc). Among the few things that I can think are non-transitive and non-thirdparty-revocable are the good ol’ ssh-keygen keys, easy to generate and all that but I’ve never found a good mechanism or design to query about them.
“.onion addresses and bitcoin addresses are secure and decentralized but not human-meaningful;”
All “crypto as in blockchains” requires trust and buy-in to that blockchain, and someone to put it on the blockchain. It being internally secure/trustworthy does not intrinsically mean it’s globally secure/trustworthy.
Sure, for the general case. In practice, we can look at Ethereum’s blockchain which has all the “buy-in” and “trust” enough to the point that it’s used to hold billions worth of value and is secured by the its validator network.
Ethereum has outlasted competing attempts to graft data onto a blockchain. It’s a long, long way from being accepted for general use by anyone who isn’t an enthusiast. The evaluation of a currency/company/blockchain is a measure of investor interest, little more.
You’re also misunderstanding. The problem isn’t whichever blockchain, the problem is that it’s still just a database. Someone has to be trusted to validate an entry. Whether that’s a trusted party, which defeats the point, or a consensus mechanism, which quickly becomes arbitrary/random, that the validation mechanism to interface with the ‘real world’ is the same weak point any other centralized database has. That the nodes are decentralized and cryptographically secure isn’t relevant.
I attend a worldwide unicycling convention every other year with thousands of attendees and millions of people have seen unicyclists. I wouldn’t call it mainstream.
Ethereum is still in the “garage band” phase. It (and BitCoin) had some commodity speculators jump in to make a quick buck and generate headlines. But other than that there’s a few thousand enthusiasts and the people they’ve managed to get interested, and little clear idea of where/how to build from there. For basically every blockchain use case the non-decentralized versions are at least an order of magnitude faster and simpler for the end user to understand. Unfortunately “It’s more secure” has never been a huge selling point in tech.
For a data carrying Blockchain? Ethereum doesn’t have any real competitors. But a serious contender for what?
Blockchain as a database is a solution looking for a problem. Most of the problems it solves other than decentralization are internal. Changing the format of the database to blockchain doesn’t get rid of existing problems with validation, it just abstracts them one more step. A contract isn’t worth the paper it’s printed on if there aren’t external systems ensuring it’s enforced. Calling that ‘paper’ a ‘smart contract’ doesn’t change that.
You are overthinking this way too much. The questions are actually simple:
I want to have a way to get an internet address which I can give to people so they can reach my website. It doesn’t need to be an universal audience and it might require some knowledge from the end users. How many people need to be able to do it for you to accept it as a valid alternative to DNS?
I want to run a casino online. The business is perfectly legit, but none of the payment processors want to accept me, or their rates are ridiculously high because of the risk profile. So I use DAI as my currency. How many people need to use it for you to accept it as a valid alternative?
I am an Argentinian or Venezuelan living in the US and I want to send money to my family. If I send the money though official means, the government will take 10-20% just because they can. It also puts a huge mark on my folks because now some corrupt official knows where they can get a good extortion victim. OTOH, If I send them BTC or DAI, my folks know how to cash it out or buy groceries in the black market. How many people using crypto for remittances do you need to have so you accept it as a valid alternative to Western Union or Wise?
You say that “blockchain is a solution in search of a problem”, that is usually a sign of someone who is privileged enough to live in a world with functional institutions. I just presented you some actual problems that people face which can be solved by crypto. They might not be your problem, but if you have a better solution that does not involve crypto, I’d love to hear.
And no, “fix the institutions” is not an answer that you want to give.
The Currency applications of blockchains make a lot of sense. It’s what the original BitCoin whitepaper was all about after all. They’re just hamstrung by the people using it for speculation/investment instead of… currency. It’s why virtually every business that accepted BitCoin in the 2010’s has stopped. It’s too volatile unless you’re getting in/out as fast as you can like with a quick transfer to a person that’s waiting for it.
It’s the attempts to graft a database onto blockchains that I find questionably useful. ENS/Handshake are interesting enough, but they are still ultimately a database that resolves via ICANN, plus some extra domains. The only intrinsic difference from just upgrading to DNSSEC or any of the other encrypted alternatives is that it takes more computing power to add or modify a database entry.
ENS is the root for a very small number of top level domains, half a dozen? Everything else just gets passed to the regular ICANN DNS root because most people don’t monitor their DNS/ENS traces and it would be bad™️ if google.com didn’t actually go to google.com.
ENS is in a weird place because it’s a non-profit operating a namespace database that charges money to update the database, which is just ICANN with extra steps. Both are more distributed than the previous solution, which was Jon, but they’re still a singular organization providing oversight. ENS seems to be struggling to find a way to mesh the whole blockchain ethos with that it can’t just let whoever register google.com (/google.eth/etc.). That’s a social issue that requires negotiation/oversight, not a tech issue. Or at least not one they’ve solved yet.
In the internet biz since 1993 here (retired): choose your registrar as carefully as your domain name.
Lowest price is the dumbest reason. It’s never the way to choose anything. ID what your needs are, what satisfies that, then shop for the best price…
Anyway at the moment for my purposes the EU with it’s gdpr and other rules is the best choice for many reasons. I’m using joker.com.
Top level domains (.ml etc) have their own rules, you gotta read them carefully. I don’t know anything about .ml and whether they allowed that usage or not.
Oof best of luck to you guys on .ml instances, might be worth looking at buying a domain as a backup to migrate to. Don’t wanna be caught off guard like this especially if they are trying to recoup all their urls. I went with a .boo domain to be unique for my instance but there are loads of TLDs out there
yeah and some countries with popular tld’s (.fm,.tv) like the revenue they generate and have no interest in disturbing that situation. That said, there’s always a risk, especially since things can change, governments change etc.
Yes, governence is key. That should ideally have it's users as stakeholders and be for public benefit and not for profit. Oh and be efficient. There's no technical reason why domains should cost more than $5.
There has to be a government connection since the DNS infrastructure in a developed country has to protected against bad actors will necessarily be linked, but not controlled, by national cybersecurity.
Oh and it should be a politically stable country. Problematical for the US?
You can only federate via tor or i2p if both sides support those protocols, because for federation to work between two nodes both nodes need to be able to initiate connections to the other. That means one-way bridges like tor exit nodes are not sufficient.
I’d guess most Fediverse servers don’t support either of those protocols, so any new server trying to federate solely through them would have an extremely limited view of the Fediverse.
Though I suppose theoretically nothing is really preventing a motivated group of server admins from setting up a parallel “dark Fediverse” containing only onion sites.
Good explanation, thanks. I figured it would have been the interface between in the onion and outside of it. That’s too bad. It’s been forever since I used tor but… would someone be able to set up an exit node specifically as a federation point with the outside world? Sort of working as a reverse proxy for a site or sites on the inside?