this post was submitted on 25 Mar 2025
262 points (98.9% liked)

Announcements

23994 readers
37 users here now

Official announcements from the Lemmy project. Subscribe to this community or add it to your RSS reader in order to be notified about new releases and important updates.

You can also find major news on join-lemmy.org

founded 5 years ago
MODERATORS
 

In the last weeks Lemmy has seen a lot of growth, with thousands of new users. To welcome them we are holding this AMA to answer questions from the community. You can ask about the beginnings of Lemmy, how we see the future of Lemmy, our long-term goals, what makes Lemmy different from Reddit, about internet and social media in general, as well as personal questions.

We'd also like to hear your overall feedback on Lemmy: What are its greatest strengths and weaknesses? How would you improve it? What's something you wish it had? What can our community do to ensure that we keep pulling users away from US tech companies, and into the fediverse?

Lemmy and Reddit may look similar at first glance, but there is a major difference. While Reddit is a corporation with thousands of employees and billionaire investors, Lemmy is nothing but an open source project run by volunteers. It was started in 2019 by @dessalines and @nutomic, turning into a fulltime job since 2020. For our income we are dependent on your donations, so please contribute if you can. We'd like to be able to add more full-time contributors to our co-op.

We will start answering questions from tomorrow (Wednesday). Besides @dessalines and @nutomic, other Lemmy contributors may also chime in to answer questions:

Here are our previous AMAs for those interested.

you are viewing a single comment's thread
view the rest of the comments
[–] v_krishna@lemmy.ml 8 points 3 days ago (3 children)

This generally goes against security best practices as it can be used for attempted user enumeration. A better version would be "we'll send you an email with your account status if this user exists" but obviously that results in a fair amount more complexity (and cost) to implement

[–] interdimensionalmeme@lemmy.ml 0 points 17 hours ago (1 children)

Enumerating users is not a security problem. It's platform obscurantism to even suggest that it is.

[–] v_krishna@lemmy.ml 1 points 10 hours ago

I think I'll trust owasp and my own over 20 years of experience building commercial software but you do you

[–] Die4Ever 3 points 3 days ago

the password/cookie should still work even when awaiting validation, password is set before the email is sent

[–] Blaze@lemmy.dbzer0.com 3 points 3 days ago* (last edited 3 days ago)

I am not suggesting users being able to enumerate other users, just that the unique link that is currently used for email verification would be more explicit than just the one time toastify notification