this post was submitted on 29 Mar 2025

198 points (89.0% liked)

Fediverse

32395 readers

473 users here now

A community to talk about the Fediverse and all it's related services using ActivityPub (Mastodon, Lemmy, KBin, etc).

If you wanted to get help with moderating your own community then head over to [email protected]!

Rules

Posts must be on topic.
Be respectful of others.
Cite the sources used for graphs and other statistics.
Follow the general Lemmy.world rules.

Learn more at these websites: Join The Fediverse Wiki, Fediverse.info, Wikipedia Page, The Federation Info (Stats), FediDB (Stats), Sub Rehab (Reddit Migration)

founded 2 years ago

MODERATORS

[email protected]

198

The fediverse has a bullying problem (ponder.cat)

submitted 1 week ago* (last edited 1 week ago) by [email protected] to c/[email protected]

116 comments fedilink hide all child comments

So check it out: Mastodon decided to implement follower-only posts for their users. All good. They did it in a way where they were still broadcasting those posts (described as "private") in a format that other servers could easily wind up erroneously showing them to random people. That's not ideal.

Probably the clearest explanation of the root of the problem is this:

Something you may not know about Mastodon's privacy settings is that they are recommendations, not demands. This means that it is up to each individual server whether or not it chooses to enforce them. For example, you may mark your post with unlisted, which indicates that servers shouldn't display the post on their global timelines, but servers which don't implement the unlisted privacy setting still can (and do).

Servers don't necessarily disregard Mastodon's privacy settings for malicious reasons. Mastodon's privacy settings aren't a part of the original OStatus protocol, and servers which don't run a recent version of the Mastodon software simply aren't configured to recognize them. This means that unlisted, private, or even direct posts may end up in places you didn't expect on one of these servers—like in the public timeline, or a user's reblogs.

That is super relevant for "private" posts by Mastodon. They fall into the same category as how you've been voting on Lemmy posts and comments: This stuff seems private, because it's being hidden in your UI, but it's actually being broadcasted out to random untrusted servers behind the scenes, and some server software is going to expose it. It's simply going to happen. You need to be aware of that. Even if it's not shown in your UI, it is available.

Anyway, Pixelfed had a bug in its handling of those types of posts, which meant that in some circumstances it would show them to everyone. Somebody wrote on her blog about how her partner has been posting sensitive information as "private," and Pixelfed was exposing it, and how it's a massive problem. For some reason, Dansup (Pixelfed author) taking it seriously and fixing the problem and pushing out a new version within a few days only made this person more upset, because in her (IMO incorrect) opinion, the way Dansup had done it was wrong.

I think the blog-writer is just mistaken about some of the technical issues involved. It sounds like she's planning on telling her partner that it's still okay to be posting her private stuff on Mastodon, marked "private," now that Pixelfed and only Pixelfed has fixed the issue. I think that's a huge mistake for reasons that should be obvious. It sounds like she's very upset that Dansup made it explicit that he was fixing this issue, thinking that even exposing it in commit comments (which as we know get way more readership than blog posts) would mean people knew about it, and the less people that knew about it, the safer her partner's information would be since she is continuing to do this apparently. You will not be surprised to discover that I think that type of thinking is also a mistake.

That's not even what I want to talk about, though. I have done security-related work professionally before, so maybe I look at this stuff from a different perspective than this lady does. What I want to talk about is this type of comments on Lemmy, when this situation got posted here under the title "Pixelfed leaks private posts from other Fediverse instances":

Non-malicious servers aren’t supposed to do what Pixelfed did.

Pixelfed got caught with its pants down

rtfm and do NOT give a rest to bad behaving software

dansup remains either incompetent for implementing badly something easy or toxic for federating ignoring what the federation requires

i completely blame pixelfed here: it breaks trust in transit and that’s unacceptable because it makes the system untrustworthy

periodic reminder to not touch dansup software and to move away from pixelfed and loops

dansup is not competent and quite problematic and it’s not even over

developers with less funding (even 0) contributed way more to fedi, they’re just less vocal

dansup is all bark no bite, stop falling for it

dansup showed quite some incompetence in handling security, delivering features, communicating clearly and honestly and treating properly third party devs

I sort of started out in the ensuing conversation just explaining the issues involved, because they are subtle, but there are people who are still sending me messages a day later insisting that Dansup is a big piece of shit and he broke the internet on purpose. They're also consistently upset, among other reasons, that he's getting paid because people like the stuff he made and gave away, and chose to back his Kickstarter. Very upset. I keep hearing about it.

This is not the first time, or even the first time with Dansup. From time to time, I see this with some kind of person on the Fediverse who's doing something. Usually someone who's giving away their time to do something for everyone else. Then there's some giant outcry that they are "problematic" or awful on purpose in some way. With Dansup at least, every time I've looked at it, it's mostly been trumped-up nonsense. The worst it ever is, in actuality, is "he got mad and posted an angry status HOW DARE HE." Usually it is based more or less on nothing.

Dansup isn't just a person making free software, who sometimes posts angry unreasonable statuses or gets embroiled in drama for some reason because he is human and has human emotions. He's the worst. He is toxic and unhinged. He is keeping his Loops code secret and breaking his promises. He makes money. He broke privacy for everyone (no don't tell me any details about the protocol or why he didn't he broke it for everyone) (and don't tell me he fixed it in a few days and pushed out a new version that just makes it worse because he put it in the notes and it'll be hard for people to upgrade anyway so it doesn't count)

And so on.

Some particular moderator isn't just a person who sometimes makes poor moderation decisions and then doubles down on them. No, he is:

a racist and a zionist and will do whatever he can to delete pro-Palestinian posts, or posts that criticize Israel.

a vile, racist, zionist piece of shit, and anyone who defends or supports him is sitting at the table with him and accepts those labels for themselves.

And so on. The exact same pattern happened with a different lemmy.world mod who was extensively harassed for months for various made-up bullshit, all the way up until the time where he (related or not) decided to stop modding altogether.

It's weird. Why are people so vindictive and personal, and why do they double down so enthusiastically about taking it to this personal place where this person involved is being bad on purpose and needs to be attacked for being horrible, instead of just being a normal person with a variety of normal human failings as we all have? Why are people so un-amenable to someone trying to say "actually it's not that simple", to the point that a day later my inbox is still getting peppered with insistences that Dansup is the worst on this private-posts issue, and I'm completely wrong and incompetent for thinking otherwise and all the references I've been digging up and sending to try to illustrate the point are just more proof that I'm horrible?

Guys: Chill out.

I would just recommend, if you are one of these people that likes to double down on all this stuff and get all amped-up about how some particular fediverse person is "problematic" or "toxic" or various other vague insinuations, or you feel the need to bring up all kinds of past drama any time anything at all happens with the person, that you not.

I am probably guilty of this sometimes. I definitely like to give people hell sometimes, if in my opinion they are doing something that's causing a problem. But the extent to which the fediverse seems to like to do this stuff just seems really extreme to me, and a lot of times what it's based on is just weird petty bullying nonsense.

Just take it it with a grain of salt, too, if you see it, is also what I'm saying. Whether it comes from me or whoever. A lot of times, the issue doesn't look like such a huge deal once you strip away the histrionics and the assumption that everyone's being malicious on purpose. Doubly so if the emotion and the innuendo is running way ahead of what the actual facts are.

top 50 comments

sorted by: hot top controversial new old

[–] [email protected] 27 points 6 days ago (1 children)

Why are people so vindictive and personal, and why do they double down so enthusiastically about taking it to this personal place where this person involved is being bad on purpose and needs to be attacked for being horrible, instead of just being a normal person with a variety of normal human failings as we all have?

First time on the internet? This happens everywhere, more so when you're anonymous or pseudonymous, but whenever you're behind a screen and everyone on the other side is just a username being controlled by an idiot or a troll.

[–] [email protected] 9 points 6 days ago (3 children)

Agreed. Reddit and Twitter were bad for bullying, doxxing, or just general nastiness, I’m not saying that it doesn’t happen on Mastodon, or the Fediverse in general, but it’s nothing like as bad.

[–] [email protected] 12 points 6 days ago (1 children)

Until someone does something not FOSS'y or anti-linux.

[–] [email protected] 5 points 6 days ago

Or you try to tell them the government they are cheering for is not a leftist one, people here loves to defend them based only on the propaganda that reaches them and get MAD if you don't join the yes-wave.

[–] [email protected] 6 points 6 days ago

If Mastodon/Fedi was at the scale those platforms are we would see more harassment, absolutely. It remains to be proven but I think federation enables a lot more eyes on content which implies harassing material can be removed more quickly.

Federation/decentralization solves a lot of problems over centralized social media, but ultimatley you can't engineer human nature.

[–] [email protected] 5 points 6 days ago

If you build it, they will come

[–] [email protected] 19 points 6 days ago (1 children)

People get so weird about Dansup.

[–] [email protected] 5 points 6 days ago

This is in part because he's in public trainwreck mode fairly often.

[–] [email protected] 12 points 6 days ago (1 children)

Who would've thunk that misusing the same type for both public and private posts (with a sprinkle of weird mention rules to determine the visibility) could backfire?

Well, definitely not Mastodon devs. Lemmy's current approach of using an entirely different type is much better.

If you're interested in some details, I recently wrote a comment about it: https://lemmyverse.link/lemmings.world/comment/14476151

[–] [email protected] 7 points 6 days ago (1 children)

Yeah, the whole thing of "if #public is in to and the user is in cc, it means one thing, but if it's the other way around, it means something different" just reeks of "IDK I just wanted to hack it up and move on and IDGAF how platforms other than Mastodon are going to wind up handling it." Which is fine... as long as your users universally understand that that's your level of care towards honoring non-public visibility settings they're setting on their posts.

load more comments (1 replies)

[–] [email protected] 9 points 6 days ago (2 children)

When I first started the reading I figured the person being bullied was the woman who was upset with dan because her concern about disclosure wasn’t really reasonable. I don’t think the bullying problem is innate to the fediverse, and thankfully we have a lot of tools to safely navigate the fediverse and tune out the abuse.

But there is a not insignificant portion of folks on here that are here because they were banned or warned on mainstream platforms because they couldn’t regulate themselves and still aren’t regulating themselves.

The vast majority of people I’ve came across are genuinely kind. Dansup doesn’t exactly follow best practices in his development which I think causes a lot of strife in the segment of the fedi population who can’t regulate when someone does something they don’t agree with.

I don’t agree with how he has handled loops so I just don’t use it. I don’t think ill of Dan at all.

[–] [email protected] 7 points 6 days ago

I don't exactly think ill of him, but I'll stay away from any platform he creates. He shared one snippet of code where he disabled validating certificate validity and certificate names. When called out on it, he decided to delete the post.

Security and standards don't seem like the first things on his mind.

[–] [email protected] 5 points 6 days ago (2 children)

But there is a not insignificant portion of folks on here that are here because they were banned or warned on mainstream platforms because they couldn’t regulate themselves and still aren’t regulating themselves.

What?

Plenty of people on mainstream platforms are obnoxious. Twitter and Reddit in particular are hives of villainy that make anything available on Fedi platforms look childish. Why do you think people are here because they were ejected from mainstream platforms?

Dansup doesn’t exactly follow best practices in his development which I think causes a lot of strife

What?

Can you elaborate?

[–] [email protected] 4 points 6 days ago

No disagreement that there are many more insufferable people on Reddit and twitter. But whenever meta discussion comes up about leaving those sites such as [email protected] there is always a small handful of people that mention they were banned for “disagreements”. Not to mention the meta drama between .ml users and .world users.

With regards to Dansup, the most common complaints I see are developing Loops closed source and not opening it to federation and still not open sourcing it after 6 months. And with Pixelfed being developed with laravel instead of a stack that is more scalable.

[–] [email protected] 3 points 6 days ago

I did elaborate a bit in a sibling comment.

[–] [email protected] 5 points 6 days ago (2 children)

So, I was probably (one of) the first to post that “Pixelfed leaks private posts” thing on here? I first wrote a long reply to this, but it sort if got away from me. The short version would be,

A) sure, the fediverse has a bullying problem in the sense that people do, and that that is usually exacerbated in any online comment field. People are awful, and that includes me, you, Dansup, and anybody reading this. We're also usually pretty brilliant when nobody's looking.

B) despite what I write above, I don't take bullying lightly. I am really uncomfortable with how you use the generally phrased headline to address this specific case. You're not writing about the fediverse as such, you're casting Dansup as a victim.

C) Dan's up, Dan's down, Dan's a victim, Dan's throwing a fit online and then deleting the tweets. As you cite in OP, some people attribute all sorts of unrelated evil to him. Most of all, my impression is Dansup has as a hard time separating from his role as main developer on Pixelfed, Loops, etc, as online commenters has separating his work from (perceived) personal faults.

D) let's imagine those projects were fully open sourced and developed by the community already. Would we be in the same situation here? Again, resorting to ad hominem bullying in online discussion is unacceptable, but I do question that Dansup is an unequivocable victim. Nor is he an evil mastermind who has engineered this situation to garner pity. He just seems to be extremely hard working, with a generous pinch of need for control of his projects.

[–] [email protected] 10 points 6 days ago

you’re casting Dansup as a victim

Correct. The original blog post wasn’t really all that bullying, I just thought it was mistaken about the security issues involved. The subsequent comments (“incompetent” “toxic” “quite problematic” “funding funding funding” and so on) were what I would describe as bullying. And, it fits a pattern where people take some issue (often one like this where he didn’t even theoretically do anything wrong) and use it as a jumping-off point to start the personal attacks.

Dan’s up, Dan’s down, Dan’s a victim, Dan’s throwing a fit online and then deleting the tweets. As you cite in OP, some people attribute all sorts of unrelated evil to him. Most of all, my impression is Dansup has as a hard time separating from his role as main developer on Pixelfed, Loops, etc, as online commenters has separating his work from (perceived) personal faults.

What?

Why should he separate from his role as main developer? This makes no sense. “Sure those people got personally insulting with Dan for no reason at all, but you have to remember, he’s the main developer of these projects and he won’t separate from them. So it’s complicated.” What?

load more comments (1 replies)

[–] [email protected] 4 points 6 days ago* (last edited 6 days ago) (1 children)

I'm OOTL, ~~who is Dansup~~? (missed the parentheses) What does this person have to do with private posts not being private?

[–] [email protected] 16 points 6 days ago (1 children)

Dansup is a developer who made Pixelfed and Loops.

Depending on who you ask, he either fucked up Pixelfed in a way that exposed Mastodon users' private posts, or else Mastodon implemented private posts poorly and he got caught in the crossfire. I'm firmly in the second camp, so much so that I think it's misleading to describe it in that both-sides type of way, but regardless, that is the lay of the land of the drama.

[–] [email protected] 8 points 6 days ago (1 children)

Never trust the client, right? In this case, the client is another server, run by different people. If software A can fuck up software B, software B is the one that should be fixed with better security. Thanks for clarifying btw!

[–] [email protected] 6 points 6 days ago

Yes. That is 100% my feeling.

Happy to be of service.

[–] [email protected] 0 points 4 days ago (1 children)

A highly relevant post, particularly the part "Address the Elephants in the Room". Just imagine, for a moment, if all the people who were banned from Reddit for being too toxic were to come over here? In that case you would get... Lemmy.

Yet we are here as well. It is an odd mixture. And it is why we aren't really growing (well, barely) despite all the fuck-ups done by Huffman. Meanwhile e.g. Bluesky is really gathering people together! That's the difference that listening to people makes: they go where there's a nice environment, which addresses their concerns, in large part bc it makes them feel heard.

People most definitely don't come to Lemmy to be heard. Well, to be more precise, they do not stay once they learn that it isn't going to happen, without MAJOR efforts on their part to block a goodly fraction of the Lemmy userbase that will not control their own words, hence making anyone who does not enjoy listening to such need to put in the work to do that for them.

[–] [email protected] 0 points 4 days ago (1 children)

Yeah. That's one thing I think Piefed is really doing right. They're trying to make it so that normal people will have a fairly pleasant normal-person experience.

I think Lemmy's core developers including explicit acceptance for toxic online behavior, and some of the original core instances openly celebrating and modeling it, really may ruin the platform for the long term. And yes, you and dubvee are completely right as far as the lack of action in any respect by a lot of people who run the instances to do all that much of substance about the people who seem to want to ruin the experience on those instances.

[–] [email protected] 1 points 3 days ago

You can read in my (successful) Petition to defederate from hexbear.net some stories not only about that instance but also some for Lemmy.ml, including an incident where a mod told a user that they (the mod) wanted to kill them (the OP), then double and tripled down on that thought, all entirely protected by the admins (discussed further here).

When I first considered leaving Reddit, this kind of thing gave me strong pause, and it was only the fact that Kbin.social also existed that got me even a toe-hold into the Lemmyverse. This despite me not caring about Mastodon and thus any of its Microblogs, which lead to me mostly interacting with Lemmy magazines remotely, though with different sorting metrics which did help a little for me to see content that was not merely highly upvoted by people using Lemmy (including hexbear.net, lemmy.ml, etc.) and instead prioritized more by like-minded people using Kbin, and then later Mbin.

PieFed goes MUCH further, providing not merely different voting metrics on mostly the same content but actual tools that even pro-authoritarian Lemmy users want (categories of communities, combined comments across cross-posts, hashtags, etc.), as well as people who want the opposite, it's really extremely flexible.

And I think PieFed is the only hope for the Threadiverse to go mainstream. I'm not saying that I think that we necessarily will, or even that we all want to or should, just that if it were to happen, it won't happen with Lemmy. I'm currently at 100% of people I've told about it irl actively chiding me for having so much as recommended it, which makes a great deal of sense only once you realize that (i) a Google search pulls up lemmy.ml as the top instance, (ii) that instance shows Local rather than All by default, and thus (iii) what someone will be exposed to is content making fun of Western society. Mainstream normal people don't want that! I don't want it either! We learn how to block it, but mainstream normal people don't want to expend hours upon hours to make Lemmy usable - and by hours I mean like tens of, continually, as they keep swatting off the bullies, but there are always more.

The alternative would be to make better mod tools. Which on Lemmy are barely happening, extremely slowly. PieFed is still catching up to Lemmy in terms of base features though, e.g. there is a Preview option but only for posts but not for comments, and many Notifications point to things to read but then won't actually show you the thing when you click on it (due to many reasons, possibly having been removed in the meantime, or being hidden by an auto-collapse or auto-hide feature, or you've blocked all the users from an instance but nonetheless notifications are still sent, etc.) - i.e. it still needs some polish. Hence in the meantime I am not recommending Threadiverse tools to anyone irl atm, unless they are already reading something here and then I recommend to check out PieFed:-).

load more comments