(#ybzi67q) @slashdot@feeds.twtxt.net I thought Sunday was the hottest day on Earth 🤦♂️ wtf is wrong with Slashdot these days?! 🤣
#fwb5yrq
#fwb5yrq
(#ve43paq) if we can figure out wtf is going on here and my theory is right, we can blacklist that feed, hell even add it to the codebase as an “asshole”.
#tvkftha
(#ve43paq) @stigatle@yarn.stigatle.no The problem is it’ll only cause the attack to stop and error out. It won’t stop your pod from trying to do this over and over again. That’s why I need some help inspecting both your pods for “bad feeds”.
#ocx6sla
(#ve43paq) @abucci@anthony.buc.ci / @stigatle@yarn.stigatle.no Please git pull, rebuild and redeploy.
There is also a shell script in ./tools called dump_cache.sh. Please run this, dump your cache and share it with me. 🙏
#uzeqxfq
(#ve43paq) I’m going to merge this…
#6yy4t6q
(#homd37a) @abucci@anthony.buc.ci Yeah I’ve had to block entire ASN(s) recently myself from bad actors, mostly bad AI bots actually from Facebook and Caude AI
#h2b55bq
(#ve43paq) Or if y’all trust my monkey-ass coding skillz I’ll just merge and you can do a git pull and rebuild 😅
#5my6z2a
@stigatle@yarn.stigatle.no / @abucci@anthony.buc.ci My current working theory is that there is an asshole out there that has a feed that both your pods are fetching with a multi-GB avatar URL advertised in their feed’s preamble (metadata). I’d love for you both to review this PR, and once merged, re-roll your pods and dump your respective caches and share with me using https://gist.mills.io/
#ve43paq
(#ze3zlba) @stigatle@yarn.stigatle.no I’m wondering whether you’re having the same issue as @abucci@anthony.buc.ci still? mulit-GB yarnd-avatar-*1 files piling up in /tmp/? 🤔
#3flo6ua
(#uqxxstq) @abucci@anthony.buc.ci So… The only way I see this happening at all is if your pod is fetching feeds which have multi-GB sized avatar(s) in their feed metadata. So the PR I linked earlier will plug that flaw. But now I want to confirm that theory. Can I get you to dump your cache to JSON for me and share it with me?
#essbaxq
(#homd37a) @abucci@anthony.buc.ci Yeah that should be okay, you get so much crap on the web 🤦♂️
#euk2kka
(#uqxxstq) @abucci@anthony.buc.ci sift is a tool I use for grep/find, etc.
What would you like to know about the files?
Roughly what their contents are. I’ve been reviewing the code paths responsible and have found a flaw that needs to be fixed ASAP.
Here’s the PR: https://git.mills.io/yarnsocial/yarn/pulls/1169
#dp723rq
(#rbzcmka) @abucci@anthony.buc.ci I believe you are correct.
#wwimwva
(#homd37a) @abucci@anthony.buc.ci That’s fucking insane 😱 I know what code-paths is triggering this, but need to confirm a few other things… Some correlation with logs would also help…
#fisjsia
(#uqxxstq) Do you happen to have the activitypub feature turned on btw? In fact could you just list out what features you have enabled please? 🙏
#mtvjo6q
(#uqxxstq) These should be getting cleaned up, but I’m very concerned about the sizes of these 🤔
#3ejltuq
(#uqxxstq) Hah 😈
prologic@JamessMacStudio
Fri Jul 26 00:22:44
~/Projects/yarnsocial/yarn
(main) 0
$ sift 'yarnd-avatar-*'
internal/utils.go:666: tf, err := receiveFile(res.Body, "yarnd-avatar-*")
@abucci@anthony.buc.ci Don’t suppose you can inspect one of those files could you? Kinda wondering if there’s some other abuse going on here that I need to plug? 🔌
#3bktsva
(#uqxxstq) @abucci@anthony.buc.ci Hmm that’s a bit weird then. Lemme have a poke.
#pypft3q
Hmm remove the cpu limits on this pod, not even sure why I had ‘em set tbh, we decided at my day job that setting cpu limits on containers is a bit of a silly idea too. Anyway, pod should be much snappier now 😅
#s7xvxga
(#rbzcmka) @movq@www.uninformativ.de Oh nothing much 🤣 Just a bunch of folks running really old versions of yarnd that were susceptible to abuse on the open web 🤣
#srvggpq
What the heck is going on here today, so many messages. 😂
#rbzcmka
(#uqxxstq) Hopefully you should see traffic die off a bit too as the /external endpoint is no longer externally abusable (get it) without being an authenticated user – which became problematic 🤦♂️ – The web is so fucking hostile 🤬
#hs7bhpq
(#uqxxstq) @abucci@anthony.buc.ci Hopefully it shouldn’t 🤞
#ptf3i5q
(#uqxxstq) @abucci@anthony.buc.ci Fuck that script 🤣 you’re good! Just follow the Build from Source docs 😅
#pl2ywiq
(#wbibk2q)
#xb76z4q
Thinking we need to adapt the UI a little bit to something like this
#wbibk2q
(#ze3zlba) @bender@twtxt.net I can see the same errors again hmmm 🧐 @stigatle@yarn.stigatle.no Did you run out of disk again? 😅
#o5tjaaq
I had a play with LiveKit Agents Playground: KITT and I have to say it’s pretty impressive. Not the ChatGPT part of course, but the speech recognition and text to speech synthesis.
KITT is an AI voice assistant powered by LiveKit Agents, Deepgram, Eleven Labs, and ChatGPT. It is running on LiveKit Playground.
It’s too bad it relies on three cloud services, none of which can be run locally (with the exception of Ollama that you could replace the OpenAI component with).
#2isdd4a
(#c7kyxoa) @lyse@lyse.isobeef.org Man gotta love that sunset !!! So nice 😊
#2n6hy3q
(#2zjtkea) You should have the fancy new SPA-like UI too 😅 (just checked!)
#o2ndweq
(#2zjtkea) @stigatle@yarn.stigatle.no No worries at all! 👌
#h6dvlfa
(#2zjtkea) @stigatle@yarn.stigatle.no Note that “Building From Source” is covered in the docs
#5sm37ca
(#2zjtkea) You are reminding me that I should cut a release soon™ so there are binaires you can just “download” and use for the platform of choice 😅
#2sboeyq
(#2zjtkea) @stigatle@yarn.stigatle.no So make deps would have installed some tools in either $GOPATH/bin or $GOBIN. See which with go env. Chuck that in your $PATH and you’re good to run make server. Normally this would be something like:
GOBIN=$HOME/go/bin
GOPATH=$HOME/go
export GOPATH GOBIN
...
#thfdc4q
(#2zjtkea) @stigatle@yarn.stigatle.no Run make deps. I use a non-standard (written in Go) minify tool
#p2enu4q
(#2zjtkea) @stigatle@yarn.stigatle.no Take a backup of the data dir in case I screwed something up 🙏
#deaswda
(#2zjtkea) @stigatle@yarn.stigatle.no Sweet 👌
#thhe53q
(#ug2ndqa) @stigatle@yarn.stigatle.no I think pods have become exploited over time so I’ve had to tighten up some feature like the external handler 😢
#j3vywma
(#2zjtkea) @stigatle@yarn.stigatle.no Ahh! Please update to the latest main 🙏
#y27rjya
(#ug2ndqa) @stigatle@yarn.stigatle.no Works now! 🥳
#ze3zlba
(#ug2ndqa) @stigatle@yarn.stigatle.no It looks like your some kind of problem with the reverse proxy in front of yarnd? 🤔I ’m seeing this error: incomplete chunked encoding error(s) I don’t know anything about this though, tbh I’ve never seen this before myself 🤔”
#ftz4saq
(#fhbvv3a) @stigatle@yarn.stigatle.no I’m doing okay 👌 Busy with work as you can imagine, and still tinkering of course whenever I can spare a moment or two! 😅
#446n3eq
(#uqxxstq) For example this one that got fixed this year:
commit 4304ec7ea3c5df95e0ed82bfa292c9330e342f61
Author: James Mills <james@mills.io>
Date: Mon Jan 24 00:10:33 2022 +0000
Fix bug in DownloadImage() leaking termporary files for external avatar downloads (#746)
#n4wbyjq
#rxjvina
(#uqxxstq) I also think you may be running a version that had a bug and lacked cleanup of those temp files
#kozdnrq
(#uqxxstq) At work right now so will have more concrete details in a few hours from now
#woo4mwq
(#uqxxstq) @abucci@anthony.buc.ci I will have a look but I suspect it has something to do with the open nature of the external endpoint. I closed this loophole recently due to other reasons myself.
#katys3q
(#fhbvv3a) @stigatle@yarn.stigatle.no Nice to see you still around (even if occasionally) 😅
#lh4tmva
(#ug2ndqa) Same hwre
#spwkb7a
(#uqxxstq) @abucci@anthony.buc.ci Please update!
#h6hpmvq