Bug reports 🐞on🐛any🦠software🪲

SDF went down over a month ago because they ran out of disk space. I’m calling this a software security bug for needless loss of availability. It should have only been a partial loss of availability.

What should have happened

When the server detects disk space getting low, it should not just crap out. It should switch into a read-only mode. In read-only mode, users can still login and access existing content. New posts, comments, and edits are disabled in this state. The node should signal to other fedi nodes that connect that it is in read-only mode.

Perhaps most importantly, users could then be informed /in band/ that the server still lives. We often see fedi nodes simply vanish out of the pure blue and users are at a spontaneous loss of data and relationships. Logging into a read-only server would settle some nerves.. keep ppls blood pressure down.

Some admins disable downvotes for their whole server (e.g. beehaw). It’s useful indeed considering the software is otherwise incapable of thwarting silent downvotes. But it’s too blunt as just a server-wide option.

For some communities downvotes are appropriate and some are not. The infosec.pub admin may want downvotes to be broadly possible, but it makes little sense for a community like !isdown@infosec.pub. And particularly off or obnoxious for a so-called “safe space” like !humanrights@lemmy.sdf.org.

The only Android app I could find which advertises having offline capability is FOSS Weather, which is now archived and no longer on f-droid.org. When I launch it, there is just a blank screen and a menu. It’s wholly broken apart from the menu, but useless with just a config UI.

The instance who hosts me (slrpnk) defaults to Alexandrite, a 3rd party Lemmy web client. It’s a good move considering how unstable and buggy the stock Lemmy client is.

But it has a bizarre defect. Most of the time, all the icons for actions below comments on the notifications page are blank. On some rare occasions they will mysteriously render. But most of the time I have to guess on the position of an icon, hover, and wait for a text popup. Upvotes and downvotes are indistinguishable.

There are also times when the whole page is a disaster and I must do a hard-refresh. The refreshing causes the server to work harder, and also often triggers slrpnk’s anti-bot javascript test (which is incidental and unrelated to Alexandrite).

This problem is specific to the stock Lemmy client web app. When I visit !foss_requests@libretechni.ca, there is a NEXT button at the bottom. Clicking it simply refreshes the current page and does not advance to the next page. This problem manifests in both Firefox and Chromium based browsers.

Worth noting that other clients (e.g. alexandrite) work fine.

When I visit this page to see blocked instances:

https://slrpnk.net/instances

There is no column containing the rationale. WTF? Rationale is far more interesting than the software and version, and they took enough care to make fields for that.

I notice that if I copy text from either Dino (an XMPP app) or Nheko (matrix client) and paste it into either Ungoogled Chromium or Firefox, the whole browser and all tabs freezes.

WTF. Firefox and UC both claim to have containerized sessions. Every tab should be separate and immune from interference by the others. But if I paste something from either Dino or Nheko into one tab, it fucks whole fuckin’ kit and caboodle. Browser is dead frozen. Must be killed.

It’s likely some kind of Wayland fuck up. Probably some botched interplay between wayland and X11. I did not really dig into it.

cross-posted from: https://sopuli.xyz/post/43760176

The simple concept of linking to a PDF has been enshitified in so many ways of fuckery lately. The linked page has a download link that triggers the fetching of some JavaScript download manager garbage that demands agreeing to, idk, probably something that legally fucks you in a variety of ways.

But what the browser does is worth considering. Chromium and Firefox both show NOTHING when hovering over the hyperlink. Normally I expect to see an URL at the bottom of the window when hovering on something clickable. The browsers do nothing.

Is that a smart design? Shouldn’t the browser signal to the user “clicking this executes JavaScript?”

The stock lemmy web client has had this annoying shitty bug as long as I remember. Not sure how or why ppl have tolerated it for so long.

I started this thread:

https://lemmy.sdf.org/post/52956979

Then I wanted to cross-post to !IRC@lemmy.cafe. The first defect is that it’s impossible to enter the full address of the target forum. Lemmy forces us to enter only part of the name and choose from a pull-down list. Then from there it’s not even smart enough to prioritise the user’s subscribed forums to the top. So entering “IRC” gives a long list of circle jerking forums, while the more simple match !IRC@lemmy.cafe is pushed off the list.

I often need to link to another post, often my own. Naturally I find the cached version of the post on the host I am logged into. But that link is not sensible for sharing. The corresponding URL on the host of the community is universally reachable by all federated participants.

So how do I get that link? It should be the fedi icon.. but no, that’s shit. I have to navigate to the original host, find the community, then browse or search for the post there. It’s such a shitty design.

I posted this, which links to another thread of mine. The preview produced such a big heap of garbage that I decided to just delete the URL. But URLs cannot be deleted in an effort to work around another bug (a shitty preview).

cross-posted from: https://lemmy.sdf.org/post/50840810

Page 8 of the dot2texi manual gives this example:

\documentclass{article}
\usepackage{tikz}
\usetikzlibrary{arrows,shapes}
\usepackage{dot2texi}
\begin{document}
% Define layers
\pgfdeclarelayer{background}
\pgfdeclarelayer{foreground}
\pgfsetlayers{background,main,foreground}
% The scale option is useful for adjusting spacing between nodes.
% Note that this works best when straight lines are used to connect
% the nodes.
\begin{tikzpicture}[>=latex’,scale=0.8]
% set node style
\tikzstyle{n} = [draw,shape=circle,minimum size=2em,
inner sep=0pt,fill=red!20]
\begin{dot2tex}[dot,tikz,codeonly,styleonly,options=-s -tmath]
digraph G {
node [style="n"];
A_1 -> B_1; A_1 -> B_2; A_1 -> B_3;
B_1 -> C_1; B_1 -> C_2;
B_2 -> C_2; B_2 -> C_3;
B_3 -> C_3; B_3 -> C_4;
}
\end{dot2tex}
% annotations
\node[left=1em] at (C_1.west) (l3) {Level 3};
\node at (l3 |- B_1) (l2){Level 2};
\node at (l3 |- A_1) (l1) {Level 1};
% Draw lines to separate the levels. First we need to calculate
% where the middle is.
\path (l3) -- coordinate (l32) (l2) -- coordinate (l21) (l1);
\draw[dashed] (C_1 |- l32) -- (l32 -| C_4);
\draw[dashed] (C_1 |- l21) -- (l21 -| C_4);
\draw[<->,red] (A_1) to[out=-120,in=90] (C_2);
% Highlight the A_1 -> B_1 -> C_2 path. Use layers to draw
% behind everything.
\begin{pgfonlayer}{background}
\draw[rounded corners=2em,line width=3em,blue!20,cap=round]
(A_1.center) -- (B_1.west) -- (C_2.center);
\end{pgfonlayer}
\end{tikzpicture}
\end{document}

It’s a broken example. gives:

ERROR: Package pgf Error: No shape named `C_1' is known.

An example in a manual should just work. What’s the problem?

Seems like a dead project. These two locations are mentioned in the manual and non-existent:

https://www.ctan.org/tex-archive/help/Catalogue/entries/dot2tex.html
http://www.fauskes.net/code/dot2tex/

(edit) CTAN location apparently moved here, but it may be out of maintenance:

https://www.ctan.org/pkg/dot2texi

All similare graphviz pkgs were last modified in 2018.

Conceptually this seems like it could be a quite useful app for getting web pages. I learned about it from @morphite88 @thelemmy.club in this thread. It’s implemented on Android and Windows (not linux? wtf).

I installed the AOS f-droid version, which is ~100mb compressed and over 500mb unpacked. Wow.. wtf that is huge. It’s based on Firefox so I wonder if that’s where all the fat comes from.

In any case, the app simply does not work. When I launch the massive thing, it tries to contact a “bootstrap server”, and fails. I do not trust the clearnet and thus force CENO over Orbot (Tor). Perhaps that’s the issue.

CENO gives an option to enter a custom bootstrap server, but my searches come up empty. Perhaps this app it too unpopular to have alternative public servers.

These devs have a history of incompetence in handling bugs. They also have an incompetently administered bug tracker, which now blocks unregistered visitors from simply viewing bug reports.

The linked bug:

Testing was done using this workflow as an offgrid user:

• Carry a laptop into an Internet cafe to fetch email and run sa-update
• From home without Internet: process the mail (which would take too long in a cafe)
• Also from offgrid home: periodically run sa-learn on false negatives and reprocess

/transparency issue/

Someone approaching SA for the first time would naturally expect sa-update to need Internet, but not SA’s scoring. The fact that SA needs an Internet uplink to score content defies reasonable expectations and fails the “principle of least astonishment”. The man page and docs in /usr/share/doc/spamassassin give no clues that Internet is surprisingly required for scoring.

When I first discovered SA’s scoring tool was accessing the net, I wrapped it with torsocks so as to mitigate leaking personal info to some extent. That worked at a time when Internet was always available to me. I should mention first that torsocks is a hack. It’s not as proper as an app that supports proxies.

Torsocks is also a somewhat futile hack because DNS lookups are often done using UDP. In attempt mitigate that risk, a tor middlebox was tried:

$ firejail --net=vnet0 --dns=\"$(ip address show dev vnet0 | awk '/inet\>/{gsub(/[/].*/,""); print $2 }')\" /usr/bin/spamassassin

But that also failed even when there was Internet and I did not keep notes on how or why.

When “torsocks spamassassin” is executed without a WAN, it behaves poorly. The output is unfriendly nonsense from a python-unaware end-user standpoint when a msg is scored:

===✂----------------------------------------

1767261476 PERROR torsocks[17588]: socks5 libc connect: Connection refused (in socks5_connect() at socks5.c:202)
1767261476 PERROR torsocks[17588]: socks5 libc connect: Connection refused (in socks5_connect() at socks5.c:202)
Use of uninitialized value in subroutine entry at /usr/lib/x86_64-linux-gnu/perl5/5.36/NetAddr/IP/Lite.pm line 647.
Bad arg length for NetAddr::IP::Util::mask4to6, length is 0, should be 32 at /usr/lib/x86_64-linux-gnu/perl5/5.36/NetAddr/IP/Lite.pm line 647.
Compilation failed in require at /usr/lib/x86_64-linux-gnu/perl5/5.36/NetAddr/IP.pm line 8.
BEGIN failed--compilation aborted at /usr/lib/x86_64-linux-gnu/perl5/5.36/NetAddr/IP.pm line 8.
Compilation failed in require at /usr/share/perl5/Mail/SpamAssassin/NetSet.pm line 26.
BEGIN failed--compilation aborted at /usr/share/perl5/Mail/SpamAssassin/NetSet.pm line 26.
Compilation failed in require at /usr/share/perl5/Mail/SpamAssassin/Conf.pm line 88.
BEGIN failed--compilation aborted at /usr/share/perl5/Mail/SpamAssassin/Conf.pm line 88.
Compilation failed in require at /usr/share/perl5/Mail/SpamAssassin.pm line 71.
BEGIN failed--compilation aborted at /usr/share/perl5/Mail/SpamAssassin.pm line 71.
Compilation failed in require at /usr/bin/spamassassin line 78.
BEGIN failed--compilation aborted at /usr/bin/spamassassin line 78.
procmail: [17579] Thu Jan  1 10:57:56 2026
procmail: Program failure (111) of "torsocks"
procmail: Rescue of unfiltered data succeeded
procmail: [17579] Thu Jan  1 10:57:56 2026
procmail: No match on "^X-Spam-Status: Yes"

===✂----------------------------------------

It’s bizarre that compilation would be in play at this stage. The above also took painfully long, and no score was generated.

Testing in a less messy environment yielded better results:

===✂----------------------------------------

$ firejail --net=none /usr/bin/spamassassin -t < /usr/share/doc/spamassassin/examples/sample-spam.txt
…
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-25) on localhost
X-Spam-Flag: YES
X-Spam-Level: **************************************************
X-Spam-Status: Yes, score=1000.0 required=5.0 tests=BAYES_40,GTUBE,NO_RECEIVED,
        NO_RELAYS autolearn=no autolearn_force=no version=4.0.1
…

===✂----------------------------------------

The workaround for me will be to prefix with "firejail --net=none". But that’s not ideal because it means the procmail scripts must be altered between torsocks and firejail every time WAN availability changes.

What does the “-t” flag do? That appears in USAGE.gz but the man page does not disclose any CLI options. What other CLI options are there?

SA can probably be configured to skip tests that need a WAN, but it’s likely unsurmountable for a novice user to quickly derive an advanced configuration like that. If possible, the docs should disclose a sample config for offline mode of operation.

Or even better, add a simple CLI flag “--offline”.

/several bugs and enhancement requests enumerated/

1. The man page and docs should state that Internet is used for scoring and the comprehensive docs in /usr/share/doc should state the rationale.

2. Spamassassin should be configurable to support a proxy. Ideally, users should have a choice of SOCKS and HTTP proxies. Note that DNS lookups often use UDP which the Tor network will not carry. So if a proxy is supplied SA should also take care to use TCP.

3. When a task requires a WAN and the WAN is unreachable, in the very least SA should give useful information and terminate more gracefully when torsocks is used.

4. Or better than ③ above, SA should continue scoring in a degraded state. It should be able to give a score without a WAN and perhaps add a warning header stating that the scoring was degraded by the lack of connectivity.

5. Document all CLI options (e.g. -t) in the man page.

6. Document a sample offline configuration.

7. Add an offline mode of operation that can be switched on the CLI.

Perhaps torsocks is somehow deceiving SA about WAN availability. If SA is not going to be smart about that scenario, then the proxy option is needed. A proxy option is needed anyway, in fact. And the proxy option should be prominently documented and encouraged because there are security compromises when running with default configs over the clearnet.

Comment from the idiot (Bill Cole) who closed the bug:

No SpamAssassin Bug is described here.

You are free to take this structureless conversational topic to the SpamAssassin Users mailing list.

#rspamd is probably a better tool. SA devs have been incompetent as long as I remember.

When Ungoogled Chromium is installed as follows:

http://web.archive.org/web/20260108185143/https://software.opensuse.org/download.html?project=home%3Aungoogled_chromium&package=ungoogled-chromium

An expired key gets in the way.

I finally escaped a rabbit hole 🕳 after a ~week-long struggle due to bug 385 and several python packaging bugs. Bug 385 broke the offline capability of Argos Translate sometime before Jan.2024. The OP’s advice worked incidentally at that time but no longer works. Apparently the release version that was in PyPi around mid-May 2024 still worked. Apparently the release cycle spans 5+ months. That window of time is far behind us now.

As of late Dec.2025 both the latest git version and the PyPi-indexed release still had the same bug.

To complicate matters, there is no version transparency (no --version cli option and pipx is blind to version numbers as well). Argos Translate is not packaged for Debian either, so no way to see or control versions with apt.

Does any distro include Argos Translate?

It’s a critical show-stopping bug for all who use Argos Translate offline. I wonder if there is an assumption that everyone’s PCs are all online anyway, so no need to treat the bug as a priority.

(#showerThoughts: might it be interesting if a live linux distro were designed to cater for air-gapped off-gridders that only has apps that work offline? And have a rich catalog of such apps?)

cross-posted from: https://lemmy.sdf.org/post/47790706

I just encountered the same confusion as others in the linked thread. The pipx tool has this in the man page:

       --pip-args PIP_ARGS
              Arbitrary pip arguments to pass directly to pip install/upgrade commands

So of course I had a space after --pip-args. It failed because the software does not work as documented. Someone reported this in 2019. The software is still inconsistent with the docs. Yet someone closed the bug report.

Re-opening or requesting re-opening requires licking Microsoft’s boots. I’m done with MS Github logins.

cross-posted from: https://lemmy.sdf.org/post/47684973

This page says:

6.6. What do I do if my jigdo download gets interrupted? If your download gets interrupted, all you need to do is restart jigdo-lite and hit ENTER at all the question prompts. Jigdo-lite will pick up where it left off.

But when I re-run jigdo, it says:

The temporary directory `./debian-13.2.0-amd64-BD-1.iso.tmpdir' already exists. Its contents ARE GOING TO BE DELETED (possibly after having been copied to the image, if they are of interest for it). If you do not want this to happen, press Ctrl-C now. Otherwise, press Return to proceed.

So which is lying, the tool or the docs?

update

I just realised it was a problem of poorly written text and sloppy reading. I mentally skipped what was in parathesis, which was important.

Strange that it would build a partial image before continuing.

I would say there’s still a minor bug here, just in the bad under-emphasised wording.

I’ve been producing sidebars to the left of a body of text using the framed package, which only gives black results reliably. The colorframed pkg is a hackjob of patchwork that tries to fix color problems from framed. But apparently it does not support a color leftbar. It’s a shame because I am creating a package that makes use of both leftbar and pdfcolparcolumns. The pdfcolparcolumns can do color vertical bars but it brings baggage and side effects. So I substitute \leftbar from framed when parcolumns screws the pooch. But then I cannot color a leftbar from colorframed to match pdfcolparcolumns vertical rules.

Guess I’m fucked.. not really interested in any complex options. If there is a decent drop-in solution I would be interested.

I posted a duplicate thread because the Lemmy UI was so slow with a post submission I thought it gave up. So I deleted the dupe. But then later when visiting the same community from an mbin account the duplicate still appears.

cross-posted from: https://linkage.ds8.zone/post/543756

This seems quit serious because there is a security issue when one app can interfere with another.

If Ungoogled Chromium is running when Nheko launches, U/C instantly freezes. No i/o is possible with U/C. Then when Nheko is quit, U/C goes down with it.

I installed the app on AOS 5 in 2022. It shows the title screen then crashes. So I never used it. I recently had another look. They now impose AOS 6 or newer. So I went to Izzy’s archive and found the latest AOS 5 version (1405). Wow how fat we’ve gotten.. The APK (which is compressed) went from 12mb to 86mb. It gave some error when trying to side-load.

possible workaround

So I guess the app can’t serve me. And there is no desktop app AFAICT. I was glad to find the DB (mondoDB-based) is freely available. That beast is ~13gb compressed. Before I work on freeing up space, can anyone say whether it is practical to make direct SQL queries on it? Is it straight forward to port it to SQLite, or worthwhile to learn this new mondo DB platform?

This was discovered by Jim East:

https://slrpnk.net/post/27305276/18006810

I must say it fails the principle of least astonishment. If a user blocks Lemmy.World but subscribes to !linux@lemmy.world, for example, they obviously want to exceptionally see content in the subscribed community but nothing else from that node. But what happens is the instance block overrides the specific community subscription. So the general rule is prioritised above the specific rule.

And worse, when visiting the subscribed community it just shows no posts without reminding the user that they have a relevant block in place.