Jerboa app and Lemmy 0.18

Ruud@lemmy.worldmod to Lemmy.World Announcements@lemmy.world – 107 points –

The 0.18 version of Lemmy was announced. This will solve many issues.

But we can't upgrade yet because the captcha was removed, and captcha relied on Websockets, which are removed in 0.18 so despite the devs agreeing on my request to add captcha back, this will not be until 0.18.1. Without captcha we will be overrun by bots.

Hopefully this 0.18.1 will be released soon, because another issue is that the newest version of the Jerboa app won't work with servers older than 0.18. So if you're on Lemmy.world, please (temporarily) use another app or the web version.

124

The Dev's stubbornness about captchas is a little baffling. Yes, they're not 100% foolproof but they help.

It's like arguing that we shouldn't have locks on or our doors because a skilled lock picker can get past them.

They agreed to add them back. You can read their comments in OPs link

That only happened recently, though. For weeks they were replying to instance admins requests to reinstate captchas with things like "bots have beaten captchas, so they're useless."

What are you talking about? The issue to bring back captchas was only opened 4 days ago!

Captchas were only removed 2 weeks ago, no one spoke up then: https://github.com/LemmyNet/lemmy/issues/2922

The developers have nothing against captchas. They were the ones who originally built and added the feature: https://github.com/LemmyNet/lemmy/pull/1027

My mistake, I understood admins had been asking for the return of captchas as soon as they were removed.

Still, it took a few days for the devs to agree to reinstate them, which, combined with the general tone seem in that second link, is what gave me the impression that they were reluctant to do so.

In open-source projects and communities, it's often a bad idea to go around looking for (or inventing) conflicts among contributors. It can come across as drama-seeking or trolling.

In software engineering in general, a common reason that a desirable feature has not been written yet is that the people who know & work on the code only have so many hands, and so many hours in the day, and there are other things that also need doing.

This service is undergoing rapid development. Spam & abuse problems are things that folks who have run Internet services before are well aware of. It's not like anyone is going to give up and let spam bots ruin the thing they're building.

I doubt anyone wants to build a service that becomes 95+% spam & abuse, ya know?

My very first post on Lemmy was a (admittedly out-of-date) rant about the devs stubbornness about the hardcoded bad words filter and their behavior in the relevant GitHub issues. And I had people jumping in the comments defending them, telling me that it was fixed years ago, they're better now, surely that couldn't possibly happen again.

I am Jack's complete lack of surprise.

ETA: and yeah, I know about kbin, I've tried both, kinda waiting to see all the new Android native apps before completely moving over there. Seeing how all this shakes out.

Biggest concern for me is the broken auto scrolling/updating. I can't use this site properly as long as the list of topics doesn't stay in place long enough for me to finish reading the headline.

Hopefully after this is fixed I'll start contributing.

Try changing the 1 at the end of the url to 0 as a workaround.

Live updates to the page is a great feature, but instead of fixing it, they just turned it off for 0.18.0. Gotta start making pull requests...

@ruud@lemmy.world Dodged bullet anyway, v18 2FA doesn't make people confirm that their app is configured correctly by asking for a code, as is tradition. It just gives them their QR/Key and locks them into 2FA immediately. If they botch adding it to their app they are locked out. And I hear the code currently being generated is silently incompatible with Authy, so those people end up SOL even if they do everything right.

https://github.com/LemmyNet/lemmy/issues/3309 / https://github.com/LemmyNet/lemmy/issues/3325

Ok so guys, I appreciate the devs of Jerboa for doing what they do, but I am absolutely switching to another app immediately when something else decent shows up.

I'm trying them all. As of today, Connect for Lemmy seems to be working the best

Really liking the look of summit, but it's lacking a lot of features still.

Connect for Lemmy is the best thus far.

Connect is great, but take a look at Liftoff. It's even better. I think we'll see better apps than reddit ever had soon.

Edit: Releases since it' not on F-Droid or Playstore yet.

Liftoff has no way to change font size yet. I find the text too small for easy reading. Trying all the apps at moment. Jerboa is fine, but currently cannot login until lemmy.world is updated. Connect seems to work ok. Basically they are all still a work in progress, but usable.

The latest version of Liftoff let you change font size.

Been using it for a while now. Feels great for being a WIP app but there are still some hiccups (can't suscribe to communities that aren't on the same instance as my account as an example). Prob will use both Jerboa and Liftoff

Btw you're releases link goes to the 0.9.6 release which is still lemmynade

Thunder on Android is the best of all the ones I've tried, Adaptive Icon and Material You support so feels very modern. It's a newer app but has a nice clean layout and development is happening fast.

How does it compare to wefwef.app ? I’ve been using it a couple of days and it’s been pretty sweet so far. Found it on r/apolloapp.

I just checked this out. Until a better native app is created, I feel like this is by far the best choice for using the site on mobile. Good find 👍

I just updated and it gave me an error on jerboa but it still seems to be working fine

Alternatively to Jerboa, it's possible to use the web site as a contained web-app, using Firefox on Android.

Firefox - Open in app

Thanks for showing me this. It worked on chrome too.

Q: When you do that, does it somehow segregate the session/cookies from the rest of your browsing with the browser

ELI5?

there's a couple of points here

  1. current website is version 0.17.4 (you can check this at the very bottom)
  2. version 0.18 is ready, but there's no captcha yet (the thing where you have to identify objects on squares, or click a box that'll turn into checkmark)
  3. without captcha, bot accounts (not real users) can register to the site too easily
  4. so we're gonna wait for version 0.18.1, the one with captcha active.
  5. the Jerboa app, the android app for browsing Lemmy has also recently updated, and will only work for Lemmy version 0.18 up, thus it's advised to use another app or just the web for now

note : the site version 0.18 is already out for the main Lemmy instance, which is lemmy.ml, but lemmy.world (where we are now) is gonna wait for version 0.18.1

I'm currently using the app called lemmy connect without issues.

Yeah it's not bad, I prefer jerboa (really I'm waiting for sync) but connect works fine

I'm using Jerboa and everything seems to be working fine. Edit: Jerboa started playing up mainly crashing on opening it. Binned it off and now using Connect

I first thought my Jerboa was fine (despite the popup warning about version), since I could browse a bit without it obviously exploding. But no, it crashes regularly now (closes, no warning or messages).

I don't understand why a Lemmy update would be considered for release that removes security features like captcha support. (Especially during this time of high rates of signups, and well known bot wave in some instances.)

Combined with Jerboa update that needs the Lemmy update, and popularity of instances that need captcha, it's unfortunately causing a mess for many users.

yeah i agree. This setup is really dumb. I just joined and this took way too much fiddling already for new 'simple' reddit users. Helps i'm used to linux.

Lemmy.world is running Lemmy version 0.17.4 right now (check the bottom of any Lemmy instance and it'll tell you what version is running). The new version fixes a lot of things, but lemmy.world can't upgrade to that new version yet because it'll be overrun by bot accounts. We have to wait for the next version and skip this update because that has the protections for bot accounts.

I know these are early-adopter pain points, but I think if Lemmy is really gonna take off, the devs need to get serious about backward compatibility and ensuring backend upgrades don't completely break major instances/clients. IMO switching from websocket to HTTP should have been treated as a breaking change with a new major version release and a more controlled rollout period for this exact reason.

Quoth semver 2.0.0:

Major version zero (0.y.z) is for initial development. Anything MAY change at any time. The public API SHOULD NOT be considered stable.

"Semver proper" only starts at version 1.0.0:

Version 1.0.0 defines the public API. The way in which the version number is incremented after this release is dependent on this public API and how it changes.

This is important. Many people (and news outlets for that matter) consider Lemmy a product, when it really is very much an on-going early stage development effort.

It's amazing how well everything works already, but nothing should be considered stable at this point.

Why was captcha even removed in the 1sr place?

Captchas depended on websockets which were removed.

https://github.com/LemmyNet/lemmy/issues/3200#issuecomment-1600505757

"Note that captcha uuids and answers were stored in-memory in the websocket server which is removed now, so its necessary to add a new database table for captchas."

No need for a database table, just encrypt the solution and encode it in the filename.

You don't want to provide any more info to the client that you need to. Otherwise someone can write a robot that decrypts that filename and breaks the captcha.

Encrypted means encrypted with real cryptography, using a secret key known only to the server. If a random robot can break that, we are all in trouble. Almost all internet security depends on basically similar cryptography.

If you already Jerboa installed and set up and working then upgraded it in place, it seems to continue working fine with the 'outdated' version of lemmy.

That fact indicates that Jerboa is needlessly and overly sensitive with its startup checks when installing fresh and attempting to connect to a lemmy instance. I consider this a flaw with Jerboa.

Unfortunately, on my phone, the previous version of Jerboa always just crashed instantly on startup. That bug was fixed in the newest version of Jerboa, but I was never able to get Jerboa running enough previously to set it with a user account and preferred Lemmy instance.

Yeah, mine complained about the server version but from what I can see everything still works ok.

For now i made a shortcut on my phone's home screen to this lemmy instance to act as a quasi lemmy client, works pretty well for the time being.

Lemmy is a progressive web app and can be installed directly

Heres a link to the instructions to install pwas from google Install pwa

... so i read the instructions and its not too helpful. Open lemmy in chrome on android then hit the 3 dots in the top right and near/above the option to open the desktop site you should see an install lemmy button

Jerboa just quit when I tried using it on Android - Pixel 5 w/Android 12. Wouldn't open at all, so I quit on it. Trying out Summit now

Also have that problem. V0.0.34 crashes, and V0.0.35 doesn't work with Lemmy.world, so I had to switch to Liftoff

Thanks. I installed Jerboa yesterday and it was not working. Glad to know this may be the cause. I can wait for 0.18.1 for mobile access

You can install 0.0.34 off github in the meantime: https://github.com/dessalines/jerboa/releases

That version crash on launch for me. Anyway to fix it?

EDIT: I fix it doing like this:

  1. Run the app in offline mode (airplane mode).
  2. Than go to login, and try sign in with your account.
  3. Turn on internet again.
  4. Once logged in, I updated the apps, and I am still logged in.

That's strange, it is like you can be logged in, but the devs just opted to not allow you to.

Thank you for the info and keeping on top of this :) have a nice weekend

Lemmymade seems to work for now. But some features are missing there I think.

Is this why there's still a ton of slowness on Lemmy despite the slowness said to be resolved? Because I still can't efficiently use Lemmy, if I'm being honest.

Also, has the Top Day sorting become broken? A community will show as blank for me now when I sort by Top Day.

That was an issue with reddit to. If there's not enough content/ activity it breaks top post sorting for short periods of time.

I used to follow a lot of niche communities on reddit and that was always an issue. I'd have to put it at a year, month/ day wouldn't work.

Damn, that sucks. Is manual approving + email not enough for the time being?

EDIT: I see that in the GitHub issue you linked, you answer this question. TLDR: No, it is not enough it seems.

manual approving

this won't scale, captchas are a low-hanging fruit that should have never been removed

They were removed because they don't work with the new system, not because someone felt like removing it. If someone volunteers to add them back, they'll be back

What I mean is why couldn't they postpone the 0.18.0 release then?

Because it addresses a number of critical bugs. Why is nobody in this thread reading the update announcement? They explain themselves well there.

@ruud@lemmy.world maybe link to it in this post as it'd probably clear up a lot of confusion.

The first link in my post is to the release blog.

Jerboa asks for 0.18 to be installed, but works with 0.17.4 mostly without issues.

So that's why Jerboa crashes as soon as I log in.

Moved to Connect, happy with that.

Jerboa also won't work with Android older than 8.0 though that's less of a problem for server ops. But it still seems like reliance on unnecessary shiny tech. My 5yo Android 7 phone still works perfectly well and I plan to keep using it a while longer, so I can't use the official Lemmy app. I wonder how fundamental Jerboa's dependence on Android 8 is. Anyone know?

The real crime here is that a 5yo android phone is running 7 which was released 8 years ago?

By keeping backwards compatibility that far back you give up on a large set of features. My guess is that Jerboa needed some feature that only exists from Android 8 and above and they didn't want to reinvent wheels.

Probably it would be best if you try to get a used phone with an more up to date Android version.

I've gotten to the point that I think that any new software release of something like Android or Firefox is likely to make it worse than before. Reddit was another example. So I resist. What feature could they possibly want from Android 8 that wasn't in earlier versions? If it was the dev kit (Jetpack) then I can sort of understand, but Android 7 has plenty of user level features, and apps such as RedReader that work fine. I'd be delighted with a RedReader port for Lemmy.

The idea of buying another phone and making more e-waste just to deal with version churn is distasteful to me. I might get interested if I can find a phone that supports Lineage really well, but otherwise I'd rather keep using what I have until it falls apart (it is getting there).

Thanks though.

So I resist. What feature could they possibly want from Android 8 that wasn’t in earlier versions?

I guess it's time for you to get into app development and find out firsthand.> I might get interested if I can find a phone that supports Lineage really well

I might get interested if I can find a phone that supports Lineage really well

Literally every single Google phone. Get a second hand last gen one if you're actually about reducing e-waste and that's not just an excuse.

seems like reliance on unnecessary shiny tech. My 5yo Android 7 phone still works perfectly well

I don't think it's the responsibility of unpaid app developers to work around that, especially when you can probably install a somewhat recent custom ROM. I have an ancient Nexus 4 with LineageOS 18.1 (Android 11, the last version for 32bit CPUs) and that version of LineageOS is still getting updates every few months.

LineageOS doesn't pass google's SafetyNet, so it locks you out of a lot of banking apps, and also some other important apps.

It's possible to run those by rooting the phone and doing some hackery to trick the app into bypassing the SafetyNet check, but that's a race against google security features.

Besides, I gave up running LOS on my old phone and just bought a new phone with stock android 13, and Jerboa crashes on startup on it as well.

LineageOS doesn’t pass google’s SafetyNet, so it locks you out of a lot of banking apps, and also some other important apps.

There are Magisk modules that help with those problems. Yes, it's additional word but using ancient, unsupported, and insecure Android versions is definitively not the proper solution.

That's impressive

That’s impressive

Yes but it's also not that uncommon for Google phones to get many years of updates thanks to community ROMs. Google actually supports old Android versions for a pretty long time, it's just that suites at Google don't want them to formally ship on their own phones and that's how LineageOS and even smaller community ROMs get support those phones with "relatively little" effort (at least compared to phones by random Android OEMs).

That's good to hear. I would be curious to get a Pixel 4a, put LineageOS on it and see how long it would last

I have a 4a right now, plan to replace the battery sometime and switch to a community ROM when Google's formal support ends

FYI: You can't just install LinreageOS on top. It'll require a full wipe. Should you do cloud backups anyway, the step is not that bad. If you never dabbled with that, it's a bit intimidating at first but actually it's not that hard once you grasped the basics.

Asking users to install custom roms to browse Lemmy doesn't seem sound a good strategy for Lemmy to beat Reddit. What I'm wondering is whether Android 8 development is somehow easier than Android 7 development. I have not looked at the source code of RedReader. Someone mentioned the existence of Reddit API emulation for Lemmy. Maybe the easiest thing is run that, and point a copy of RedReader at it.

Lineage does sound nice, but it doesn't support my phone.

Asking users to install custom roms to browse Lemmy doesn’t seem sound a good strategy for Lemmy to beat Reddit.

I don't ask anything of you. You're the one asking volunteer app developers to support your insecure ancient Android version. Installing a new version of Android is a good idea in any case but if you want to continue "resisting" just deal with apps becoming incompatible with time.

My phone came with Android 6, the vendor shipped an upgrade to Android 7, and I installed that. They didn't release any more upgrades. The phone hardware itself is still perfectly good so I really don't want to take part in a hardware upgrade treadmill just because the vendors like to play Wintel. I'm typing this on a laptop from 2011 (Thinkpad X220) that also still works (hasn't fallen apart yet), running Debian 11. It won't run the latest Windows but I don't care.

I still haven't heard any type of explanation what of what stops Jerboa from working with older Androids. If it would take a total rewrite then I can understand the devs not wanting to do that. If it means changing a #define then I'd say change the #define. As a general matter I find Lemmy's web design to be bloatier and more annoying than old.reddit so I'm not sure I would like Jerboa anyway (I haven't seen it). I appreciate the work that the devs and ops have put into Lemmy but Ifrankly prefer the user interfaces of 40 year old Usenet readers to these Javascript pages that squirm all over the screen. So I want to keep persuing text based viewers like RedReader and Gnus. I'd try Jerboa if it was convenient for me to do so, but I'm not going to buy a new phone to run a program that I have doubts about to begin with.