I came here for the same reasons as most of you and chiefly among them was to escape the corporate embrace of common social media platforms.
But how much trust can we place into Lemmy, Mastodon, and/or other various integrated Fediverse platform instances?
I’m all for open-source and transparency which the devs seem to provide, although providing source code and routinely audited source code are entirely different concepts.
Similarly, the high availability of source code may lead to malicious instances, actors, and/or back-end modifications that would favor specific instances resounding consequence throughout the Fediverse.
So I ask simply: How much faith do you have? (Please provide supporting documentation links supporting your answer because I’m genuinely interested.)
EDIT: I literally removed a semi-colon character ‘:’
What do you mean by “trust”?
Do I trust that vanilla Lemmy code doesn’t contain something nefarious, such as code that detects political positions it doesn’t like and reduces their visibility? Sure. It would be hard to hide something like that.
Do I trust that major servers aren’t secretly running software that manipulates content? Mostly yes. I think it would get noticed since there are lots of vanilla servers to compare behavior to.
Do I trust that all the software is well-designed and bug-free? I write software for a living. No software is bug-free and most of it isn’t well-designed.
Do I trust that everyone who runs a fediverse server isn’t an asshole? Absolutely not. Any jackass can run a server. I run a Mastodon server (on which all users are me).
How can people join your mastodon?
I also choose this guy’s Mastodon server
They can be my really close friends or family and ask me for an account, which I would actively discourage (join something well-run like .world) but eventually allow if they really wanted to.
deleted by creator
deleted by creator
This is a social media website. If you don’t trust it, no one is making you use it.
I came here for the same reasons as most of you
Ah, so you’re tired of Reddit’s manipulation of mods and users?
Understood and agreed.
Nobody is making any of us use The Software™, my question concerns your decision. Trust is an entirely separate concept and varies greatly depending on the audience.
BTW, It’s not just Reddit. ;)
deleted by creator
I have quite a lot of faith, but I think the majority of my faith is that whilst you’re right that abuses can happen because some people are cunts, there seems to be a groundswell of willingness to react to that possibility and tackle it.
The relatively recent CSAM attack on .world Communities is a prime example of that. Code was written and systems put into place (not by the lead developers it has to be said but by @db0 and others) to tackle that threat.
You’re pointing at the ugliest corner there is, and yet I’d like to point out that there’s been that kind of attack yesterday and the day before; and the tools and people reacted well enough for it to go unnoticed for most folk on the fediverse.
Similarly, the high availability of source code may lead to malicious instances, actors, and/or back-end modifications that would favor specific instances resounding consequence throughout the Fediverse.
Historically availability of source code has prevented that sort of thing since forever. Plus you can’t favor a specific instance, that’s the beauty of the protocol. It’s like saying google can favourite a specific email provider, they can’t, if suddenly Gmail stops receiving or sending emails to random domains people would just switch boats because you can register on any of the other email providers that don’t do that. Gmail can collect your data and all, but all data on Lemmy is public, so there’s no need to mess with the source code to gather data.
So what are you worried about? Mods moderating content in ways you don’t like? That will happen on any platform that allows moderation, and you don’t want to use one that doesn’t (plus it has nothing to do with the open source nature of the server, and you can jump to another community with different mods). Maybe you’re worried that malicious software will run on your phone? That’s more likely to happen with a closed source software, if you’re truly paranoid about these things you would have a full open source phone with a custom OS without google components flashed into it, I can see that you’re not on that level since you still don’t understand that open source is needed for transparency. Or maybe you’re worried the server itself will host malicious content? Any server can do that, servers that host things people write will always be able to host malicious content, it’s not hard to link to an external website or provide malicious scripts or files, just don’t click on random links or download random things from strangers online and you should be mostly fine.
Historically availability of source code has prevented that sort of thing since forever. Plus you can’t favor a specific instance, that’s the beauty of the protocol.
Availability of source code and actual auditing are entirely different.
It’s like saying google can favourite a specific email provider, they can’t,
They very well can as a private platform. For the record, google does favor specific vendors through their Google Partnership program and similarly through search results as recently found through court proceedings.
but all data on Lemmy is public
It’s also managed by a single source of truth, ie. databases… correct?
So what are you worried about?
I’m not worried about anything. I asked a question to a forum which seemed to superficially accommodate questions, my bad.
Mods moderating content in ways you don’t like?
I literally don’t care about moderated content, censorship, or whatever.
Maybe you’re worried that malicious software will run on your phone?
Nope.
I can see that you’re not on that level since you still don’t understand that open source is needed for transparency.
Yes, I’m lower than you. Teach me.
Or maybe you’re worried the server itself will host malicious content?
Counter question, how many straws are you grasping at here?
Realize how many questions you levied and that I was actually kind enough to take the time to answer most of them even if possibly rhetorical.
You insulted me and I’m okay with your opinions that I’m ignorant, “not on the level”, or whatever. I literally just asked a question.
EDIT: I failed to proofread and had a redundancy collision.
Similarly, the high availability of source code may lead to malicious instances, actors, and/or back-end modifications that would favor specific instances resounding consequence throughout the Fediverse.
That’s ultimately just the Internet being the Internet.
On the fediverse, any instance shouldn’t blindly trust any other instance for that exact reason. That’s part of the game. Instances share the data over ActivityPub, and it’s up to you to process and make use of that data. That includes spam filtering and whatnot. Some instances have CSAM detection for example.
Every instance that’s subscribed to a user or community gets the full set of data: every vote, from every user, from every instance involved. We have the data, we can analyze it. And that’s what really matters.
It doesn’t matter if there’s rogue instances trying to manipulate votes. Everyone have the data to detect and filter out the noise. Maybe one day it’ll be like E-Mail where the majority of the traffic is spam. But just like E-Mail, we’ll make filters and make it work. If all else fails, there’s always the allowlist method: only see content from sources you trust not be spammy. You can even run AI models on it to filter the data if you want. You have the data, you can do whatever you want with it to make it useful for you.
I have faith in the protocol and its openness, not the software that runs it.
Thank you for your response. May I ask (since you seem very knowledgeable): Could a singular instance manipulate their backend votes on a single post and have it replicate in order to garner more/less interest?
Example:
UPDATE Posts SET Updoots = 1000000 -- or SET Updoots = 0 WHERE PostId = 1;
I’ll admit that I have not properly studied the ActivityPub implementation as described by activitypub.rocks, but we’re all continuously learning.
Kind of but not really? You’d have to federate out every vote individually. There’s no upvotes totals anywhere, there’s a
vote
table that contains who voted up/down on what, and it’s counted as needed. So if you want to send out 1000 votes, you need 1000 valid users and also send 1000 different activities to at least one instance.You can make it display 100000 votes on your own instance if you want, but it’s not going to alter the rating on other instances because they run their own tally.
If you really want this to work long term, you need a credible looking instance with credible looking users that are ideally actually subscribed to the target community, and credible activity patterns too. Otherwise, the community can detect what you’re doing and defederate you and purge all the activities from your instance, and also revert all those votes as a side effect.
Remember, all votes are individual activities, and all votes are replicated individually to every instance. On Kbin, you can even see all the votes right from the UI, they don’t even hide it! You can count them yourself if you want. So anyone with the dataset can analyze it and sound the alarm. And each instance can potentially have its own algorithm for that, so instead of having just one target to game, like Reddit and a subreddit, you have hundreds of instances to fool. There’s so many signals I could use to fight spam: instance age, instance user growth, the frequency and timing of the votes, are the users seemingly active 24/7, what other communities those users post into, what are they voting for, do they all vote in agreement with each other, and on and on.
So, you technically can manipulate votes but it takes a lot of effort and care to make it as hard as possible to detect in practice. We play the same cat and mouse game as Reddit, but distributed and with many more eyes on it.
I’m mostly a fan, because I don’t feel like I have to have faith.
If my instance explodes, I’ll make an account on another instance. If the Lemmy devs collectively evaporate (and neither me nor others want to pick up the slack), then I can go to Mastodon or Kbin or whatever.
Individual rogue instances can be defederated. If e.g. Reddit truely disappears over night and Lemmy were to gain mass market appeal, then I can likely find a more isolated instance with a smaller community sharing my interests.
Who cares? If baddies subvert the backend, the worst case scenario is that I get lower quality memes.
I care slightly more about clients. Those run in sandboxes on your phone or browser, so they’re probably fine-ish too.
🤷
Teach me your ways. I want to learn.