Unsurprisingly, some folks on raddle and reddit seem to have a big problem with lemmy. A lot of it is pure FUD.
However, this appears to be a valid security concern:
https://raddle.me/f/fediverse/166674/lemmy-is-so-much-like-email-it-even-brought-back-spy-tracker
Any thoughts on how fixable this is?
Of course the general consensus on reddit is “lemmy devs are clueless and dangerous”. I’m pretty sure a lot of it is one guy with multiple alt accounts, tho. He has a Joe McCarthy attitude about lemmy because of one of the primary devs.
Why are people pretending this isn’t an issue??? Of course it is lol.
Luckily the fix is also easy: an image proxy server. Mail clients do this already.
It exposes the bigger problem with Lemmy: lack of auditing.Nah, we’re auditing, just live.
For better or worse, security is in the community’s hands. But that’s why we are here in the first place.
Any thoughts on how fixable this is?
This shouldn’t be hard to fix. Lemmy needs to proxy images, there’s an open issue for this. Right now, I don’t use Lemmy outside of Tor Browser specifically because of issues like this, and the recent XSS vulnerability is making me even more concerned. Lemmy is a great project, but it needs work and probably a security audit.