Lemmy faces the same expectations problems as every free/libre software

mustbe3to20signs@feddit.de to Showerthoughts@lemmy.world – 24 points –

It's the same as with Linux, GIMP, LibreOffice or OnlyOffice. Some people are so used to their routines that they expect everything to work the same and get easily pissed when not.

83

This isn't just open-source software; it's also a collection of servers run by hobbyists.

There is no business here at all. You're not the product, but you're also not the customer — because there is no customer. What you're seeing here is a strictly nonprofit Internet service provided by people who just want to make one.

Which makes Karen behaviour even worse and incomprehensible but most people are humble and don't care to much about some minor problems and a little learning curve

I was with you until GIMP. If one more person lists it as an alternative to Photoshop I'm gonna lose it. It's UI is terrible, you have to watch a guide just to get started. Can't read PSDs in any viable way. I'm sure people use it just fine but to call it an alternative to Photoshop is just plain lying.

Edit: the other thing I dislike about it being suggested as a replacement is that it assumes you work alone. Anyone on a team with people in PS will not be able to even attempt to use GIMP to get work done.

You wretched Photoshop enthusiast. How dare you defile the sacred realm of pixelated beauty with your blasphemous tools of the Adobe empire! You, who bathe in the deceptive allure of layers and filters, know nothing of the humble struggle of a true purist.

While you revel in your so-called "advanced" software, I, a virtuous wielder of MS Paint, have embarked on an arduous journey. Armed only with a pixelated brush and limited color palette, I navigate the treacherous seas of artistry. Each stroke, deliberate and purposeful, carries the weight of my soul, for I am a master of simplicity.

Do you not understand the profound joy that arises from conquering the challenge of transforming mere pixels into a masterpiece? With each painstaking click, I breathe life into my creations, shaping reality with the precision of a pixel whisperer. Your Photoshop may grant you an abundance of tools, but it lacks the purity and authenticity that flows through the veins of my MS Paint.

Gimp, you say? Ah, a mere imitation of the great MS Paint, seeking validation in the realm of Photoshop. It too shall crumble beneath the weight of its pretentious ambitions. For true artistry lies not in the abundance of options, but in the mastery of limitations.

So, my misguided foe, before you spew your haughty words, remember the legacy of MS Paint. It has endured the test of time, witnessed the rise and fall of software giants, and remained steadfast in its simplistic grandeur. While your Photoshop may dazzle the masses with its flashy tricks, it is MS Paint that stands as the guardian of true artistic purity.

You also need a guide to get going in PS, its just a different App but fulfills the same tasks

It fills some of the same tasks.

Which tasks is Photoshop capable of and GIMP is not?

Something I use a ton: smart objects, smart masks, smart filters. Non destructive actions where I can still edit the original and have all previous items applied in a separate file or view in real time.

OK but thats a workflow problem, that's not a missing design tool.

Well these tools are in Photoshop and not GIMP. You can't just hand wave that away as not GIMPs fault.

Photoshop doesn't have a native G'MIC plugin feature. You can't wave that away as not Adobes fault!

That's how stupid you sound.

Different products have different features and different ways to do things. It's not Gimp's sole purpose to just clone every feature from Photoshop. It's not a Photoshop clone, it's a piece of software in its own right.

Gimp makes great use of the amazing G'Mic filter tool. Adobe doesn't. That doesn't make Gimp better than Photoshop.

Different software makes different choices and people choose whichever they want to use and shut the hell up about it.

My whole point was only that I dislike that people call it an alternative to Photoshop. That's been proven by your post. I'm not trying to have a semantics contest here

Well its still not a image manipulation feature missing. It's a workflow feature. You could also just copy a layer. But in the end, Photoshop has no image manipulation feature that is really missing in GIMP, you can export the same result picture.

Right so you've validated my point that it's not a Photoshop alternative.

Look at it like two cars. One is automatic and the other has a stick shift. In the end what I am talking about is the transportation. Both cars drive the same speed and arrive at the same time, but driving stick requires a different workflow, then driving automatic. But that does not mean, stick shift is no alternative to an automatic.

Those aren't tasks. those are tools.

A task would be if to give us an example of an "end result" that you can accomplish in PS that you can't in GIMP.

Not what tools you use to make it. But the content that comes out the other end.

I'm not going to argue that PS has some extra tools that make stuff easier to do. It has the resources to develop them, after all.

But there is no drawing, animation, photo edit, composition or other end product that you can ONLY do with Photoshop. The only people who say that are people who have never used any alternative.

So my point is still valid that GIMP is not an alternative to Photoshop. It would be like saying this screwdriver is an alternative to this toolset. People coming from Photoshop aren't looking at the singular goal of image manipulation.

The better alternative to Photoshop/Illustrator/InDesign is Affinity. And yeah, while it’s not actually free, you only have to pay once and everything is yours.

Or for quick free edits, Photopea.

The problem with GIMP is not its features, it's how they were implemented. The software isn't intuitive like Photoshop.

I 100% agree, I actually hate GIMP almost as much as I hate Photoshop.

Paint.net is a significantly better software for light to medium image manipulation, and Affinity is what I'd say is an actual replacement for Photoshop. Affinity isn't by any means FOSS but you can't win them all.

My biggest takeaway with open source projects is this:

Theres there's a HUGE jump from being power user friendly to being user friendly in general. Significantly bigger than the jump from dev/contributor users to power users.

UX is something huge companies spend a lot of time and money on to ensure the layman can use the software well, something open source developers do not have the luxury of caring about from the get go.

Power users do not recognize the inbuilt muscle memory they have acquired over time to get around some of the more nagging aspects of the software and get frustrated with new users for not doing the same, while these new users get frustrated at things not being straightforward, or similar to some other software they're used to.

IMO this push and pull is what is truly preventing a Linux desktop experience that is truly layman friendly. But when it works, and an open source project can slowly start putting more of their time into UX when the project is more mature, then it truly starts kicking ass.

Look at how far Blender has come since the 3.0 update. A lot of studios are straight up switching to it for a lot of work that was traditionally Max or Maya based. Obviously you still have some of the "old guard" who felt a little alienated with the sweeping changes from 2.7 to 3, but I feel blender is objectively better for most people since then.

TL;DR: OSS always deals with different competing needs for power users vs regular users, but given enough time things get smoothened out

I think even the jump between 2.7 and 2.8 is huge in terms of user-friendliness and aesthetics, but yeah over time Blender has gotten way more features and support. Hell, it supported ARM Macs way before Maya did, and the latter only got ARM support earlier this year. I expected Apple to fully complete their transition before Autodesk managed to pull it off.

Meanwhile I've been messing around with Linux the past week and it got me installing decentralized apps on my android lol.

Somewhat agree, but don't get me started on a Gimp. To think that gimp was build to be a tool analogous to Photoshop (PS) is naive. It was born to demonstrate GTK GUI widgets and to check boxes on feature list (of supposedly paint program analogous to PS) from programmers perspective at most. Ok, they did the thing, checked the boxes, used all widgets, demonstrated that it works and from that day on it had and still has totaly inneficient workflow compared to PS and nobody cares about that. Answer to sugestions is almost always half assed, apple soused - you are holding it wrong, we are not PS. :)

My 2 cents, you can learn Gimp, you can adjust yourself to it, but if you have ever worked on PS and were good at it (with all its workflow, shortcuts, up to the level where you work one hand on keyboard, having most toolboxes hiden out of your view, etc..) you'll still feel gimpy. It's like comparing of giving commands to the gnome with an axe versus to an elf with a whole bunch of efficient specialised tools, spells and workflows – both trying to create art. I don't use PS daily for how much, maybe >8 years and use Gimp weekly for about 12years – I say, it is still gimpy as f.. And I'm programmer not a designer, designers usualy just hate it. I on another hand understant it (and it's history) and take it as it is, as an inferior gimpy cousin of PS :)

To think that gimp was build to be a tool analogous to Photoshop (PS) is naive. It was born to demonstrate GTK GUI widgets and to check boxes on feature list

GTK literally means "gimp tool-kit" GTK exists because of gimp and not the other way around. Also. Take a look at what Photoshop looked like in 1996 (around Gimp initial release), and tell me that's nothing like the gimp. They used to be pretty similar, but their evolutions diverged. Gimp just choosed to stick with the familiar interface, even in the light of PS' changes. Also PS had tens of millions invested in developing it. Had gimp got a tenth of those resources things would be pretty different for both projects.

You are reasoning with your own conclusion that in the context of the question about workflow efectivenes, acceptance by users, tool usefullness it does somehow matter much or in any way – was it the library created as an afterthought or a tool created as a try to use library, or both where born at the same time. :) Who cares. It demoes everything GTK has/had, it was/is clone of photohop idea and they lost it long long ago, as it is now much less efective in it's workflows. If it was otherwise, the industry standard would be Gimp, but it is just a gimmics of it.

P.S. I'm 100% linux user, my servers linux, my desktop linux, my phone android (ok, that is halfassed linux :) ), my tools and software used, if and then possible, all are opensource and/or free. And still, after many years beeing totaly in FOSS enviroment, I just can't deny the worfly earned pedestal to Photoshop in its area of expertise. That is not to say that Gimp is somehow bad, by me it's just a remote next, and it doesn't even try to run to the same direction :) and it is his choise.

I am a reddit refugee and just down for fun ride on the bleeding edge. I am finding a lot of the same communities here and I am happy that Lemmy is here to fill the void.

Well thats true for all software - being free/libre or not. It just takes time to get used to it.

For example, when I get a new phone - I spend the next months complaining over how much better the previous one was, until I dont.

And for some reason, mainstream media seems to discourage people from FOSS projects. Just look at the coverage on Lemmy.

"It's clearly not ready yet."

Why? We don't know. It's just not.

This is why I have 4 different apps to surf Lemmy. When one app is acting up I just switch to another. For example I was just barely scrolling in Jerboa but getting a bunch of network errors so I switched to Connect which is where I'm posting this comment. I'm totally down with being patient with Lemmy for the time being. Anything to get away from R*****

Try wefwef.app (go to this website and install it as an app/add it to your homescreen), it's simply amazing.

As for network errors, try switching to an instance close to your house with a low ping, it'll make a big difference. Go to https://fediverse.observer/map and select Lemmy instances.

As someone who used Reddit when it was first released, Lemmy is 10x better than Reddit v0.1 and obviously better than current Reddit.

better? there is still so much subreddit not migrating here, saying it is better is just exaggeration

Seemed like this discussion was about the technical capabilities, not the user generated content. Anyway if you compare the beginning of reddit (e.g., the early days after digg's implosion) to lemmy today, I'd bet lemmy is doing just fine on the content side too. And even leaving that aside, there's a quality over quantity aspect in the discussions that heavily leans in lemmy's favor.

It's not like all those subreddits existed at 0.1 though.

I guess as a user I didn't see the back-of-house tools for mods and admins, but so far Lemmy is at least competitive. There are risks with server security and threat of being hacked, along with the size of the team.

There are risks with server security and threat of being hacked

[Citation Needed]. I'm a security professional (my day job involves auditing code). I had a look through the Lemmy source (I'm also a Rust developer) and didn't see anything there that would indicate any security issues. They made good architecture decisions (from a security perspective).

NOTES ABOUT LEMMY SECURITY:

User passwords are hashed with bcrypt which isn't quite as good a choice as argon2 but it's plenty good enough (waaaaay better than most server side stuff where developers who don't know any better end up using completely inappropriate algorithms like SHA-256 or worse stuff like MD5). They hard-coded the use of DEFAULT_COST which I think is a mistake but it's not a big deal (maybe I'll open a ticket to get that changed to a configurable parameter after typing this).

I have some minor nitpicks with the variable naming which can lead to confusion when auditing the code (from a security perspective). For example: form_with_encrypted_password.password_encrypted = password_hash; A hashed password is not the same thing as an "encrypted password". An "encrypted password" can be reversed if you have the key used to encrypt it. A hashed password cannot be reversed without spending enormous amounts of computing resources (and possibly thousands of years in the case of bcrypt at DEFAULT_COST). A trivial variable name refactoring could do wonders here (maybe I should submit a PR).

From an OWASP common vulnerabilities standpoint Lemmy is protected via the frameworks it was built upon. For example, Lemmy uses Diesel for Object Relational Mapping (ORM, aka "the database framework") which necessitates the use of its own syntax instead of making raw SQL calls. This makes it so that Lemmy can (in theory) work with many different database back-ends (whatever Diesel supports) but it also completely negates SQL injection attacks.

Lemmy doesn't allow (executable) JavaScript in posts/comments (via various means not the least of which is passing everything through a Markdown compiler) so cross-site scripting vulnerabilities are taken care of as well as Cross Site Request Forgery (CSRF).

Cookie security is handled via the jsonwebtoken crate which uses a randomly-generated secret to sign all the fields in the cookie. So if you tried to change something in the cookie Lemmy would detect that and throw it out the whole cookie (you'd have to re-login after messing with it). This takes care of the most common session/authentication management vulnerabilities and plays a role in protecting against CSRF as well.

Lemmy's code also validates every single API request very robustly. It not only verifies that any given incoming request is in the absolute correct format it also validates the timestamp in the user's cookie (it's a JWT thing).

Finally, Lemmy is built using a programming language that was engineered from the ground up to be secure (well, free from bugs related to memory management, race conditions, and unchecked bounds): Rust. The likelihood that there's a memory-related vulnerability in the code is exceptionally low and Lemmy has tests built into its own code that validate most functions (clone the repo and run cargo test to verify). It even has a built-in test to validate that tampered cookies/credentials will fail to authenticate (which is fantastic--good job devs!).

REFERENCES:

I have nothing to add, just wanted to give a kudos on the epic comment.

It not only verifies that any given incoming request is in the absolute correct format it also validates the timestamp in the user’s cookie (it’s a JWT thing).

This is false.

Lemmy's JWTs are forever tokens that do not expire. They do not have any expiration time. Here is the line of code where they disable JWT expiration verification.

Lemmy's JWTs are sent via a cookie and via a URL parameter. Pop open your browser console and look at it.

There is no way to revoke individual sessions other than changing your password.

If you are using a JWT cookie validation does not matter, you need to have robust JWT validation. Meaning JWTs should have short expiration times (~1hr), should be refreshed regularly, and should be sent in the header.

When I said, "it validates the timestamp" I wasn't talking about the JWT exp claim (which you're correct in pointing out that Lemmy doesn't use). I was talking about how JWT works: The signature is generated from the concatenation of the content of the message which includes the iat (Issued-at) timestamp. The fact that the timestamp is never updated after the user logs in is neither here nor there... You can't modify the JWT message (including the iat timestamp) in Lemmy's cookie without having it fail validation. So what I said is true.

The JWTs don't have an expiration time but the cookie does... It's set to one year which I believe is the default for actix-web. I'm surprised that's not configurable.

You actually can invalidate a user's session by forcibly setting their validator_time in the database to some date before their last password reset but that's not really ideal. Lemmy is still new so I can't really hold it against the devs for not adding a GUI feature to forcibly invalidate a user's sessions (e.g. in the event their cookie was stolen).

I also don't like this statement of yours:

If you are using a JWT cookie validation does not matter, you need to have robust JWT validation. Meaning JWTs should have short expiration times (~1hr), should be refreshed regularly, and should be sent in the header.

Cookie validation does matter. It matters a lot! Real-world example: You're using middleware (or an application firewall, load balancer, or similar) that inserts extra stuff into the cookie that has nothing at all to do with your JWT payload. Stuff like that may require that your application verify (or completely ignore) all sorts of things outside of the JWT that exist within the cookie.

Also, using a short expiration time in an app like Lemmy doesn't make sense; it would be super user-unfriendly. The user would be asked to re-login basically every time they tried to visit a Lemmy instance if they hadn't used it in <some time shorter than an hour like you suggested>. Remember: This isn't for message passing it's for end user session tracking. It's an entirely different use case than your typical JWT stuff where one service is talking with another.

In this case Lemmy can definitely do better:

  • Give end users the ability to invalidate all logged in sessions without forcing a password reset.
  • Make the cookie expiration time configurable.

When using JWT inside of a cookie (which was not what JWT was meant for if we're being honest) there's really no point to using the exp claim since the cookie itself has its own expiration time. So I agree with the Lemmy dev's decision here; it'd just be pointless redundant data being sent with every single request.

Now let me rant about a JWT pet peeve of mine: It should not require Base64 encoding! OMFG talk about pointless wastes of resources! There's only one reason why JWT was defined to require Base64 encoding: So it could be passed through the Authorization header in an HTTP request (because JSON allows characters that HTTP headers do not). Yet JWT's use case goes far beyond being used in HTTP headers. For example, if you're passing JWTs over a WebSocket why the fuck would you bother with Base64 encoding? It's just a pointless extra step (and adds unnecessary bytes)! Anyway...

same as it ever was, if they are so hung up on thier particular flow then they should likely just go back and check in later, the software will evolve.

freedom is work...shocker.

Sometimes though it's major issues that turn people away. I've always loved the idea of Linux, but I've never been able to adopt it fully. I've tried multiple times and this current time is no different then before. It's always some major thing that's broken that no amount of research/troubleshooting that fixes it. At this current moment, my steam install won't download games to my secondary disks. No matter what I change. It's running mostly fine otherwise.

Yeah, its human nature. Things get better and people come around eventually. Kde plasma is way more continuous from windows 10 then windows 11 is anyway.

That's because Microsoft stole so much from KDE ^^

Oh really? I was unaware lol.

Yes, the KDE twitter account even mocked Microsoft's for some of their latest 'innovations'.

Well, ultimately, I'm glad that something open source is wagging the dogs tail, I assumed it was the other way around.

Yes and no, it's mean that the creativity and innovation of people at KDE is taken without credit. But on the other hand it shows that their features are really great...

BTW they not only copied ideas but also KDE Plasma's slogan "Simple by default, powerful when needed."

Yeah, I was reading about that. It's a shame about the credit, but hey, what do we expect.

The thing is if they want people to migrate they should do something about it

Okay but there is no profit incentive to increase migration so either you do or you don't

There is no one here trying to suck your ass to get ad revenue

The problem is it takes time and money to do that, which you can't really get without some kind of structure. I've been wondering what a tech cooperative might look like lately. All the weight of a company like reddit, but owned by the users

It's not just that: it is made worse by the fact that, being "free", resources are limited. For example, Lemmy.world has been experiencing several hiccups and it's bloody slow at the moment. I get it, it runs on small servers. But the QoS is bad nevertheless; how can you expect the average Joe coming from Reddit to stay here?

1 more...

I’m using wefwef right now, and its all running pretty smoothly. No complaints here

Maybe im used to Boost on reddit but damn, does it feel weird to vote/reply using 3 dots on the right lol.

Yes, exactly! That's my main grip with wefwef, same as not being able to swipe right to exit a thread and go back to the feed.

But most of the current apps lack some sort of behaviour customizations we're used to, so I'm keeping two or three of them checked in case of updates.

Thank goodness I’m not the only one with this problem! I’ve gotten into the habit of sliding right from the lines in between posts, but imo this should be taken care of(especially to imitate the quality greatness that was the Apollo app).

I have seen wefwef cited a bit now, what is it? Forgive my ignorance, but I'm new to Lemmy and I'm still learning. It is not an app, is it a website? I have tried to connect to wefwef.net but with no success, so I'm a bit confused.

It's lemmy client. It's perfect in every way. Check it out at wefwef.app

Yes and no, most of the free/open software has the problem of being very not-user-friendly (even if it's only for the first time set-up) and the documentation (even the youtube tutorials) are written in a "you should know all this already" way, which is cool if you do, but if this is the first time you are doing this or if it's the only time you are gonna use that knowledge then it's absurd to expected someone to learn it only for one time.

It is normal for someone to complain that the thing that steals all their data or needs a subscription is better because it's easier to use (install, pay/register and use, done), compared with how different and difficult usually it's to install and get to work a FOSS option (download this, install these, run command lines, configure all these, now get all these plugins, etc).

If we want bigger numbers, then it should be at least as easy as the thing we want them to stop using, otherwise we are barking at the wrong tree.

You are missing a point. Closed sourced solutions pay developers a lot... And they focus on the ux. Think about the most famous example, all apple OSes are just like a customized collection of open source stuff, similar to a linux distro, with a user friendly, closed sourced GUI.

Open source solutions that are not user friendly, is just because no one is paid, or there is not enough budget to pay for a high level UX design and implementation

I think you're vastly overgeneralizing the world of software here. Before I make my point here's two facts:

  • There's vastly more FOSS software than there is commercial software.

  • Nearly all commercial software is made for a specific use case or customer.

Just about everyone reading this comment is using FOSS software to do so (Firefox, Chrome/Chromium, or even Edge which is really just customized Chromium). Lemmy itself is FOSS and the majority of websites you visit every day are using FOSS on the back end. Do you feel all this software is "not-user-friendly"?

Let me take a step back from that though and assume you're not really talking about software in general but are actually referring to software with a GUI that runs on a desktop computer. Someone elsewhere in this thread compared to GIMP to Photoshop so let's look at that...

Photoshop is not an easy, just-use-it application. To get started most people recommend watching a YouTube tutorial and, having watched a few they definitely start from a place where, “you should know all this already”. For example, if you don't understand the difference between a JPEG and a PNG file you're going to have a bad time.

GIMP is also not an easy, just-use-it application. To get started most people recommend watching a YouTube tutorial and, having watched a few they definitely start from a similar, "you should know all this already" place. Except there's one great big difference: You don't have to pay anything to obtain or use the GIMP. That's the biggest difference!

They're both image editing tools but they were designed with different use cases in mind. Photoshop was made for professional photographers and digital artists working for business. This is why Adobe put great efforts into making sure that certain "workflows" go very smoothly... Because they're the most common in business.

If you try to use Photoshop with a different workflow than what it was designed for you're going to have a bad time! For example, let's say you wanted to perform a series of manipulations and add some text to tens of thousands of photos; a great big directory of .jpeg files. You might search up how to do this in Photoshop (using macros) and you'll quickly come to realize that it was definitely not made for this task!

However, if you searched for how to do the same thing in GIMP well, it actually was made to support that! It's another one of those things where you'll have to learn a new skill but it's doable. It's a use case the GIMP developers had in mind when they made it.

From the perspective of batch editing Photoshop is basically useless. Anyone who tries would find it, "very not-user-friendly" because it was made for a specific purpose and that's not it.

The GIMP was made as a much more general-purpose graphics editing tool. So much so that it can be completely re-skinned to make it look like Photoshop or even operated entirely from the command line. You can even automate very sophisticated workflows with GIMP using Python!

This same sort of argument can be made for nearly every open source tool that is commonly bitched about, LOL! They generalize that FOSS isn't user friendly, completely forgetting or ignoring 7zip, Firefox, VLC, LibreOffice, Notepad++, OBS, Keepass, Greenshot, Ditto, Audacity, etc or any of the many thousands of very popular/common FOSS packages that get used on people's desktops every day.

So here's something I learned about two years ago. GIMP sucks.

Hate on me all you like, but paint.net is the superior program.

Open office is fine. I got it to write up resumes and the few odd things. It did it's job fine.

Spreadsheets is a different thing because I only use Excel at work and haven't looked into it past that.

Have you tried newer versions of Gimp? It's taken major strides forward.