378
Suboptimal ways to respond to a public security incident
(lemmy.stuart.fun)
This issue is already quite widely publicized and quite frankly "we're handling it and removing this" is a much more harmful response than I would hope to see. Especially as the admins of that instance have not yet upgraded the frontend version to apply the urgent fix.
It's not like this was a confidential bug fix, this is a zero day being actively exploited. Please be more cooperative and open regarding these issues in your own administration if you're hosting an instance. 🙏
Right, but Lemmy.ml is really just one of a thousand plus instances. We need something instance independent or a way to propagate info that doesn't rely on any single failure points, or Lemmy as the communication channel. What happens when lemmy.ml is down, or if no instances are able to post due to concerted DoS?
It's impossible to stop anyone randomly posting stuff on Lemmy. Attackers can post misinformation as well, especially if they compromise admin accounts. Who are we gonna trust in the midst of the next incident? The account posting most prolifically about the UI exploit in progress was using a burner account that had just been created to post about it. I'm sure there were good reasons for wanting to be anonymous when discussing the work of unknown malicious actors, but it made me think twice about what was being posted at the time.
I think the authoritative source should be the GitHub repo. A security advisory should be posted there with references to outside resources as necessary.
checks all the boxes - authoritative (authenticated user accounts), central location, not on fediverse, already relatively well-known by lemmy users and provides visibility to remediation. It's a good idea.