In the last weeks Lemmy has seen a lot of growth, with thousands of new users. To welcome them we are holding this AMA to answer questions from the community. You can ask about the beginnings of Lemmy, how we see the future of Lemmy, our long-term goals, what makes Lemmy different from Reddit, about internet and social media in general, as well as personal questions.
We'd also like to hear your overall feedback on Lemmy: What are its greatest strengths and weaknesses? How would you improve it? What's something you wish it had? What can our community do to ensure that we keep pulling users away from US tech companies, and into the fediverse?
Lemmy and Reddit may look similar at first glance, but there is a major difference. While Reddit is a corporation with thousands of employees and billionaire investors, Lemmy is nothing but an open source project run by volunteers. It was started in 2019 by @dessalines and @nutomic, turning into a fulltime job since 2020. For our income we are dependent on your donations, so please contribute if you can. We'd like to be able to add more full-time contributors to our co-op.
We will start answering questions from tomorrow (Wednesday). Besides @dessalines and @nutomic, other Lemmy contributors may also chime in to answer questions:
Here are our previous AMAs for those interested.
One of the biggest issue at this point is probably the registration experience. There are quite a few occurrences on [email protected] of users not sure whether their email has been validated or not, and at the moment they really need to look out for the toastify notification on their first try, later attempts won't show it.
Most recent example: https://lemmy.ml/post/27607055?scrollToComments=true
If there could be a way to inform a user saying "your email address has been validated, please wait for an administrator to activate your account, you can reach out to them at xxx", that would be great.
Youre right, I also noticed some other problems while testing registrations:
For the email validation it could also make sense to send out another email saying "your email has been validated", so its not only shown on the website.
Thanks!
I'd need more detail here. If registration emails aren't being sent out correctly, we need to handle that.
These two posts should provide more details
This generally goes against security best practices as it can be used for attempted user enumeration. A better version would be "we'll send you an email with your account status if this user exists" but obviously that results in a fair amount more complexity (and cost) to implement
Enumerating users is not a security problem. It's platform obscurantism to even suggest that it is.
I think I'll trust owasp and my own over 20 years of experience building commercial software but you do you
the password/cookie should still work even when awaiting validation, password is set before the email is sent
I am not suggesting users being able to enumerate other users, just that the unique link that is currently used for email verification would be more explicit than just the one time toastify notification