this post was submitted on 01 Apr 2024
9 points (100.0% liked)

/kbin meta

5 readers
2 users here now

Magazine dedicated to discussions about the kbin itself. Provide feedback, ask questions, suggest improvements, and engage in conversations related to the platform organization, policies, features, and community dynamics. ---- * Roadmap 2023 * m/kbinDevlog * m/kbinDesign

founded 1 year ago
 

Comments such as:

letting more people help with Kbin development.
...
Why not getting some help? I know that Ernest already said he has a problem trusting people, but

Why has Ernest insisted on being the only developer to work on this? This creates a potential “single point of failure” situation.

I understand the desire to keep kbin a solo project in order to maintain control over it, but if this is going to see any success in the long term, then there needs to be a team.

come up in almost all threads about KBin's performance. At the time I just read them as nincompoops being whiners.

In hindsight does remind one a bit of similar social pressure leveled against Lasse Collin, does it not?

Not saying people are trying to backdoor this place or anything. The similarity just seemed worth pointing out.

all 49 comments
sorted by: hot top controversial new old
[–] [email protected] 9 points 7 months ago

I typed a reply about how bad actors will use reasonable arguments to get their way, so we'd need genuine evidence

my comment didn't send properly tho and i got an error message, so if you see me commenting twice, sorry

[–] [email protected] 5 points 7 months ago (1 children)

I mean, he's developing and administrating what's essentially a Reddit clone all on his own.

[–] [email protected] 5 points 7 months ago (3 children)

I mean, he’s developing and administrating what’s essentially a Reddit clone all on his own.

And doing a damn fine job.

The question was if you saw similarity in the pressure to add maintainers to the project with the social engineering that lead to xz getting backdoored.

[–] [email protected] 10 points 7 months ago (1 children)

No, he's not. Kbin was recently down for a week. Then voting and comment counts broke. Before all that I had to get into the habit of reloading the page I was on every time I wanted to vote on something. It's a terrible user experience.

That's not to say I don't like him or he's not a good dev or whatever. Just that people have limits and it sure seems like he's bumping against his.

[–] [email protected] 4 points 7 months ago (1 children)

I think Ernest is doing a fine job. [shrug] Especially when you consider none of us are being charged to be here.

Could we please stop talking about if Ernest is burning out though? That was never the question of this thread.

The question was if the comments reminded you of the social engineering that engendered the xz backdoor.

[–] [email protected] 5 points 7 months ago (2 children)

I didn't say anything about burning out. A job can be too big or difficult for a person without them burning out.

Ultimately, it's just a question of results. If kbin.social is working poorly but other alternatives are doing good, I move on. That works well in the Fediverse especially, as evidenced that I am commenting from fedia.io.

[–] [email protected] 3 points 7 months ago (1 children)

Likewise I also moved on from Kbin. Obviously we have no power over that project, that belongs solely to the person who created it, but we do control our own actions. e.g. I used to sing the praises of the Fediverse and go out of my way to not equate it with Lemmy - always saying like Lemmy/Kbin. Now I still do the former but I actively tell people that Kbin might not be a good match for them. Ernest has kept it as alpha version software - which is fine, there is a need for such things, and it will become great, someday... hopefully. But today is not that day, and that is super good for people to know, e.g. that they don't have to leave the Fediverse entirely to get a more functional experience, just Kbin.social.

[–] [email protected] 2 points 7 months ago (1 children)

fedia.io is running mbin, which is a fork of kbin. It seems to be doing well, so you could switch to Lemmy/mbin if you don't want to include kbin any more but still want to show alternate clients are possible.

[–] [email protected] 1 points 7 months ago (2 children)

Thank you for the suggestion. So far I've just taken to saying "Fediverse", perhaps I'm holding out hope for still more clients in the future:-)? Also it's shorter than Lemmy/Kbin/Mbin:-).

[–] [email protected] 2 points 7 months ago (2 children)

Piefed also looks promising.

[–] [email protected] 3 points 7 months ago (2 children)

Piefed also looks promising.

That one interoperable with Mastodon like Kbin is?

[–] [email protected] 3 points 7 months ago

It appears focused on being compatible with lemmy, but I haven't asked the dev what their plans are for mastodon integration.

They do have an interesting image-viewing mode though, which is pretty cool. :)

[–] [email protected] 1 points 7 months ago (1 children)

Nope, and it doesn't seem to be on the agenda either. Kbin/Mbin is still the only platform(s) to try to bridge the two.

[–] [email protected] 4 points 7 months ago

Kbin/Mbin is still the only platform(s) to try to bridge the two.

Moreover it seems to have better discoverability than mastodon Mastodon. I can type a word or phrase in the search bar on kbin and find "Mastodon" posts whereas I'm stuck viewing whatever is timeline trending on Mastodon proper unless I follow someone or can figure out whatever hashtag person might have affixed to their post.

Even with kbin being down a good 1/5 of the time it remains the best ActivityPub viewing experience (in my).

[–] [email protected] 2 points 7 months ago

Exactly! More and more products can be added - like now we are hearing about Fedi-wikis (from the original Lemmy developer iirc), and ofc there will be Threads (whether we dread it or not!), so the Fediverse (iirc, defined basically as anything that uses the ActivityPub protocol?) is growing up, spurred onwards by the ongoing demise of Reddit even if started long before. :-)

[–] [email protected] 0 points 7 months ago (1 children)

I saw the term "threadiverse" being used to group all Reddit alternatives interoperable with the Fediverse.

[–] [email protected] 1 points 7 months ago

I saw the term "threadiverse" being used to group all Reddit alternatives interoperable with the Fediverse.

Yeah, but Meta's fucked up the application of anything containing "thread".

[–] [email protected] 1 points 7 months ago

I didn't say anything about burning out.

Fairplay, but that then's two step removed from what this thread is about.

[–] [email protected] 3 points 7 months ago (1 children)

And he's burning out. And more maintainers would be even better.

Yes, it's similar, but every one-man project with real-world use is similar in that regard.

[–] [email protected] 2 points 7 months ago (2 children)

And he’s burning out.

I have seen no evidence of that. Also not the point of this thread.

[–] [email protected] 7 points 7 months ago (1 children)

I’m not going to pick through his last year’s posts and make a diagnosis, but if you’ve seen no evidence of that, I think you’re wilfully ignoring the signs.

[–] [email protected] 2 points 7 months ago (1 children)

I’m not going to pick through his last year’s posts and make a diagnosis, but if you’ve seen no evidence of that, I think you’re wilfully ignoring the signs.

Ok, I'll continue "ignoring" evidence you can't even describe ("He talked somewhere about..."), much less cite.

For all we know his frequent absence is down to a great work-life balance on his part.

Irrespective this thread is not about who is or is not burnt out, it's about how posts like your are what enabled the xz backdoor to happen.

[–] [email protected] 5 points 7 months ago* (last edited 7 months ago) (1 children)

Irrespective this thread is not about who is or is not burnt out, it's about how posts like your are what enabled the xz backdoor to happen.

I thin you need to chill a bit. Open source has a long illustrious history of people cooperating to build software and submit patches and enhancements which are then scrutinized by project leads. Yes, occasionally bad actors use this model to try and slip through exploits, but you don't throw out one of the strengths of open source because of that. You make sure mechanisms are in palce to allow robust scrutiny.

And no, I'm absolutely not going go through someone's post history and quote bits that show someone is frazzled. I expect you to have enough empathy

[–] [email protected] 2 points 7 months ago

I thin you need to chill a bit.

I'm not the one calling people willfully ignorant about things a thread isn't even about.

one of the strengths of open source because of that.

I don't think being a jerk is a strength

[–] [email protected] 0 points 7 months ago (1 children)

I used it as a support to my argument, so, it's relevant. No evidence, you say... I don't want to talk too much about someone's health issue. Just believe what you believe. I don't think you can change your view through online discussion.

[–] [email protected] 2 points 7 months ago

I used it as a support to my argument

What argument? I'm not sure what you position is.

[–] [email protected] 0 points 7 months ago (1 children)

He is doing an excellent job, and I do not mean to denigrate his work when I say the task is beyond any one person, no matter how talented and dedicated. Look at the issues that went on recently while Ernest was indisposed, and we had months of federation issues that led to communities migrating away and Kbin.social getting defederated by other instances.

This project is getting too large for any one person, and it's far too important to have one point of failure. And even someone as great as Ernest needs an understudy.

[–] [email protected] 3 points 7 months ago (1 children)

I don't know what this xz thing is about, first time hearing it. But people saying he should get more help are trying to help him, not having malicious plans like installing backdoors or whatever.

I do think people should ask less for more maintainers — the project is already opensource, so it's up to maintainers to join, not him to seek them out. But he should still get some help with managing the instance. Pauses in development are fine imo, but the instance shouldn't be swarmed with spam and account deletion requests lost in limbo just because ernest got sick or something, which can happen with the best work life balances.

[–] [email protected] 7 points 7 months ago* (last edited 7 months ago) (1 children)

I don't know what this xz thing is about, first time hearing it.

Someone pressured the maintainer of a compression tool used in a bunch of open source software to hand over the keys by citing burnout and offering to "help" then spent ~3 years slowly adding tiny changes that combined to form a backdoor in SSH that nearly compromised the entire internet or something.

It was only barely caught by accident because it made some thing some guy was doing that wasn't even related a fraction of a second slower.

Been all over the FOSSiverse for days, and the social engineering that was used on the xz maintainer reminded me personally of similar pressure certain people have applied to Ernest in most threads about kbin performance I have seen.

[–] [email protected] 11 points 7 months ago

The reason it worked is because sometimes burnout is a real problem, and getting extra help is a real solution. The fact that this was exploited in one situation doesn't mean that all of a sudden there isn't any real burnout or genuine offers to help any more.

A project can sometimes benefit from help even if there is no burnout. People have limits.

[–] [email protected] 3 points 7 months ago

xz was successful because it was believable, but a malicious actor would more likely target libraries that are depended on by many, like xz.

[–] [email protected] 3 points 7 months ago (1 children)

Yes, there is some similarity. You're not wrong.

However, it's much more likely to be due to the common experience of solo devs whose projects blow up than it is about bad actors on kbin.

If you're so inclined, you can always check the profiles of those who were pushing for it and particularly those who were volunteering; the boehs.org link should supply some helpful red flags to look for. Ernest would be wise to check IP activity and even ask for IRL credentials of those he would consider giving any real level of access to. Beyond that, it's firmly in the realm of "mildly interesting."

[–] [email protected] 1 points 7 months ago

It's not the boeh.org link, but here is a similar timeline of events: https://research.swtch.com/xz-timeline

[–] [email protected] 2 points 7 months ago

its open source. it can and has been forked. he can do what he likes. The call for moderation made sense but code is different. Granted I think he should bring in help for himself but that is for him to decide.

[–] [email protected] 1 points 7 months ago (1 children)

Honestly, no. Kbin has been barely usable for a long time and I'm starting to consider giving up.
I have a notification waiting for me, but I get a 404 on the page to check it out. /sub also didn't work yesterday. I spent a few minutes trying to edit a comment just an hour ago.

Nothing against Ernest, a page of this size is hard to manage alone or almost alone, but it's still a pain as a user.

[–] [email protected] 2 points 7 months ago

I have a notification waiting for me, but I get a 404 on the page to check it out.

Append ?p=1 at the end of the URL; that sometimes fixes it.

Next, relax.

[–] [email protected] 1 points 7 months ago (1 children)

Erm, I thought kbin was open source? Can't anybody fork it if they have a problem with it? This sounds like a whiny nothingburger.

[–] [email protected] 3 points 7 months ago (1 children)

Erm, I thought kbin was open source? Can’t anybody fork it if they have a problem with it? This sounds like a whiny nothingburger.

They can. That's what mbin is.

That's part of why I don't get why people always pressure Ernest to add maintainers.

[–] [email protected] 2 points 7 months ago (1 children)

I said that already, mbin might be good but I didn't like the advertisement.

[–] [email protected] 3 points 7 months ago (2 children)

I said that already, mbin might be good but I didn't like the advertisement.

I'm not quite sure what your position is. I am by no means an mbin booster. In fact I find some of the people pushing mbin over kbin (in lieu addition too) jerks about it.

This whole thread has been about the similarities I noticed between comments people made about/to Ernest previously and the sort of comments we later learned led to the xz backdoor.

When I started to read breakdowns about the social engineering behind the xz backdoor I was like, "Waaaaitaminute, I've seen that sort of talk before." I found it notable to point out the similarity and maybe poke around at it.

People decided to use the thread (to my excessive chagrin) to talk shit about kbin and rehash the exact same pressures I was attempting to analyze.

[–] [email protected] 3 points 7 months ago

I am by no means an mbin booster.
I didn't mean to say you were, mine was just a side remark.

[–] [email protected] 2 points 7 months ago

When I started to read breakdowns about the social engineering behind the xz backdoor I was like, "Waaaaitaminute, I've seen that sort of talk before." I found it notable to point out the similarity and maybe poke around at it.

People decided to use the thread (to my excessive chagrin) to talk shit about kbin and rehash the exact same pressures I was attempting to analyze.

It's a shame, because I noticed similar patterns was looking forward to some good discussion about it here. Alas...

[–] [email protected] 1 points 7 months ago (1 children)

This is an absurd thread. By collecting together critical comments, and picking back up a loud fight that previously died down over a week ago, you are absolutely adding to any pressure towards our lad in charge.

Touch grass

[–] [email protected] 1 points 7 months ago

Touch grass

Suck ya mudda

[–] [email protected] 1 points 7 months ago

I switched away because kbin seemed stuck and unresponsive to users and uncommunicative. Changes that were made seemed to be ones the Ernest wanted to and not addressing issues that people were feeling in some cases.

I am a software developer for a living and I can tell you that you can both have more people contributing and be secure. Most projects do not have bad actors who successfully poison things. When someone does, they get caught in the review process. If this is your concern, then prove that Ernest himself isn't a bad actor? I don't believe he is, but being one person in control would certainly make that easy.

[–] [email protected] 1 points 7 months ago

Ernest Adds More Maintainers to Kbin is one of my favorite 80s comedies