ShittyKopper

Yeah, that is a shortcoming of the protocol. But it's necessary in order to be secure until things improve (and given this is AP, that's gonna be a while. People seem to love bikeshedding in circles instead of doing actual work)

Instead of sending the entire object embedded in the activity the secure way would be to only the URI instead. This is permitted by JSON-LD.

In the receiving side, if the object is untrusted (i.e. if it isn't signed or if it's from a separate authority from the parent object containing it) it should be thrown away and the id should be fetched from the remote instance directly (same as it would happen if it was a URI instead of an inline object). This is completely an oversight on Lemmy's implementation and not a protocol problem.

I seriously doubt Lemmy currently does any validation whatsoever. There were communities using this blatant security issue for non-malicious purposes (see https://endlesstalk.org/c/tails@lemmon.website, which re-wrote posts from people (which is only possible if the posts weren't validated, or at least re-fetched from their origins)).

There is a way to re-share and validate remote activities, either through LD signatures (ew, JSON-LD processing :vomit:) (which only Mastodon and Misskey implement) or the newfangled FEP-8b32 Object Integrity Proofs (which nobody relevant on the microblogging space implements).

Yep, all this ^^^

This is also one of the reasons why I believe ActivityPub client-to-server failed and will likely never gain much traction. It either needs every single client to re-implement all the features it wants from scratch, or the entire ecosystem needs to be dumbed down to fit a single mold. Leave all the unique functionality in "uncommon" software like (streams) and friends, even software like Lemmy or PeerTube would likely be extremely difficult to build in a world where client-to-server actually became a thing.

The only way I can see C2S actually taking off is as IPC protocol between an "app server" (which would be the equivalent of Mastodon or Lemmy or (streams)) and a "federation server" which is just a dumb pipe that distributes and receives objects and activities, and even that has it's fair share of concerns, both around efficiency and the same "dumbing down" problem.

most people on lemmy do not understand the tradeoffs both activitypub and it's implementors do, as evidenced by this exact community we're in. these memes wouldn't gain any traction even if they were funny to their intended audience (which i have doubts on if it's possible to do but idk i'm not creative enough)

id argue none of those are fun topics you can joke about but "memes as a form of outrage" (aside from, like, two) which is already a problem (see all the political memes on any of the meme communities for countless examples) we do not need to encourage imo

to be fair there isn't that much about the fedi in general that you can meme about. the closes you can get are in jokes but:

a) lemmy doesnt have them because this place is uncreative and only serves as a dumping ground from memes from other places when they aren't bickering about politics
b) in jokes of different parts of fedi do not translate well just because they share a protocol, given the extremely little overlap on people here
c) they're not really "fediverse memes" just because they happened in the fediverse, are they

iirc mastodon was implementing smithereen's flavor of groups. no idea if they ended up changing course or anything (not following masto dev tok closely) but the way they work is fundamentally different from how Lemmy and compatible groups work

from what i can tell (from the work in progress pull request) mastodons group implementation explicitly does not aim for compatibility with lemmy

other than that, i agree on activitypub being crap in terms of making interoperability easy

the specs are so open ended that i doubt real interoperability will ever happen. you can break interoperability with basically every other current software out there and still be compliant with the specs

that post will have been a text post, not a link (those are likely broken now, and certainly were broken a year ago due to a bug in the misskey 12 codebase inherited by firefish and forks. modern versions of misskey just fixed that a couple months ago)

the username thing does not completely break federation, but it will randomly confuse instances. there's a 50/50 chance whether an instance will get the correct user it asks or not, and once an instance resolves a user once it'll have a similar 50/50 chance for each profile update (icon change, sidebar change, etc.). of course, if there's no conflicting user for a community (or vice versa) then federation will be fine.

oh no that's not a new change afaik it was always like this