So if you do the Docker setup, obeying the instructions and substituting everything that needs to get substituted, but don’t proofread the files in detail and so miss that line 40 of docker-compose.yml doesn’t have the variable {{domain}} like in every other location you need to write your domain, but instead just says LEMMY_UI_LEMMY_EXTERNAL_HOST=lemmy.ml and so you fail to change it away from lemmy.ml… then, everything will work, until you type in your admin password for the first time, at which point your browser will send a request to lemmy.ml which includes your admin username, your email address, and the admin password you’re trying to set. And, also, of course your IP address wherever you are sitting and setting up the server.
I have no reason at all to think the Lemmy devs have set their server up to log this information when it comes in. nginx will throw it away by default, of course, but it would be easy for them to have it save it instead, if they wanted to. And my guess is most people won’t use a different admin password once they figure out why creating their admin user isn’t working and fix it.
@dessalines@lemmy.ml @nutomic@lemmy.ml I think you should fix the docker-compose.yml file not to do this.
Edit: Just to increase the information-to-rudeness ratio of my post. The docs are at:
https://join-lemmy.org/docs/administration/install_docker.html
And they recommend using wget to download:
https://raw.githubusercontent.com/LemmyNet/lemmy-docs/main/assets/docker-compose.yml
Which is pulled from:
https://github.com/LemmyNet/lemmy-docs/tree/main/assets
Which is what has the wrong line 40 in it.
Edit: They fixed it. Good stuff.
Just for the hell of it, I don’t know about OP, but I don’t even know how to.
I went to the relevant linked section and couldn’t find a way to raise an issue directly. I’m going to try again, and if I succeed I’ll return here and make a top level comment for anyone scrolling by and wondering. I’ve never tried to do this before, so I’ll see how it goes.
Edit: aha!
You have to go to the issues page and select the “new issue” button, where you’ll be directed to log in to github.
Which, for me, means I’m finished trying. No desire whatsoever to have another login for a one time thing. If I ever manage to learn enough code to do anything like this often enough, I’d do it, but it just isn’t worth it to satisfy my curiosity about the process.
OP managed to find the bug. He knows how to fix it. Obviously he’d know how to make an issue about it, and probably even know how to contribute his fix that he already made in the official way to the open source project.
You do not possess these skills so obviously you’re not the one who should make the issue.
Yet he decided to somehow create this public post highlighting something that could be sketchy to try to publicly discredit the devs. There is no other reason to do it like this.
If it could be sketchy the public should know about it.
The people that didn’t change their password after it getting leaked should also know about it and update their info.
Whistleblowers like Op are doing the right thing. No blind faith in some dear leader.