I've been offline for a while, so didn't see this originally, but I randomly came across things that seem to be in reaction to this now-removed post.
I fetched the body of the post from the modlog - I'll avoid reposting it here, but wish to respond to the concern that's the "first big one".

Let's imagine that your instance had a minor outage. During that time, a remote user has made a post that their instance is trying to make you aware of by POSTing it to your inbox. It possibly retries a few times, but eventually it gives up.
Now you're online again, and you're receiving Likes and Replies to a post you don't have. Or maybe one of your users has noticed it's missing, so plugged it into the Search box.
What happens now? Well, if your instance is running Lemmy, it fetches it from the original source. This is normal and expected behaviour, and it just a plain old boring GET request.
If - for example - the post was https://lemmy.ml/post/47524469, then you never received a signed Create from https://lemmy.ml/u/yogthos, or a signed Announce from https://lemmy.ml/c/programmerhumor - there's no cryptographic verification at all, but you've asked an instance about activity from one of its own actors, and if you don't trust what it's saying, then you've got much bigger problems.

This isn't any different from what PieFed was doing (as part of its inter-op with PeerTube).
PeerTube has a different federation model than Lemmy. Video channels are like communities in many respects, but if it receives a reply from a remote user to a local video, then instead of sending out signed Announce by the channel (as Lemmy would do), it just resends the original Create out to its followers, but signed by the instance's "Application" actor instead. This meant that these replies were failing signature verification checks, because the 'actor' in the ActivityPub JSON (something like https://example.social/user/alice) was different that the actor who signed the POST (something like https://tinkerbetter.tube/accounts/peertube).
If you wanted to do it 'properly', then first you'd have to have a way of storing Application actors in your database, then you'd have to dig into the request header and get the Signature keyID, and then once that verified, you'd want to make sure that the instance does indeed host the appropriate community. Alternatively, you can think "bollocks to that", and just fetch the content from https://example.social/ instead.

There seemed to be some concern that an attacker could set up evil.com and send an unsigned POST to a PieFed instance saying that https://evil.com/user/alice has made a post to https://evil.com/post/1 and instead of rejected it as unsigned, PieFed would fetch https://evil.com/post/1.
Well ... yeah? If you own evil.com, then you have all the keys for your users, so nothing is stopping you sending posts that are signed by them (it's not like users know their own private keys). As such, whatever you might want to return from a GET request to https://evil.com/post/1 is exactly what you could put in a signed POST request from https://evil.com/user/alice anyway. If you're a malicious user with their own server, then you can pollute the fediverse as much as you like, until you get defederated of course, but the relevant bit of PieFed code wasn't making it any easier for such people.

As you may have noticed, the crawler at https://lemmyverse.net isn't picking up anything from instances on versions 0.19.4 or 0.19.5.

The Issue itself is easily fixed, and there's already a PR for it from lemm.ee's admin, but there's been no response from the lemmyverse developer.

Does anyway have any other ways of contacting him?
If this continues (I realise 2 weeks isn't that long), is anyone interested in forking the code and hosting it on a new domain?

Thanks.

(bonus opportunity to brush up on your Portuguese swear words)

I realise this is a known issue and that lemmy.world isn't the only instance that does this. Also, I'm aware that there are other things affecting federation. But I'm seeing some things not federate, and can't help thinking that things would be going smoother if all the output from the biggest lemmy instance wasn't 50% spam.

Hopefully this doesn't seem like I'm shit-stirring, or trying to make the Issue I'm interested in more important than other Issues. It's something I mention occasionally, but it might be a bit abstract if you're not the admin of another instance.

The red terminal is a tail -f of the nginx log on my server. The green terminal is outputting some details from the ActivityPub JSON containing the Announce. You should be able to see the correlation between the lines in the nginx log, and lines from the activity, and that everything is duplicated.

This was generated by me commenting on an old post, using content that spawns an answer from a couple of bots, and then me upvoting the response. (so CREATE, CREATE, LIKE, is being announced as CREATE, CREATE, CREATE, CREATE, LIKE, LIKE). If you scale that up to every activity by every user, you'll appreciate that LW is creating a lot of work for anyone else in the Fediverse, just to filter out the duplicates.

For anyone unaware, a community's outbox typically contains the last 50 or so Post Announcements - it is retrieved when you are the first person to find a community on a remote instance. It also seems to be fetched whenever an community on a remote instance realizes it's out of sync with the community on its host instance.

Compare:

curl --header 'accept: application/json' https://lemmy.world/c/memes | jq -r .outbox           
=> https://lemmy.world/c/memes/outbox                
curl --header 'accept: application/json' https://lemmy.world/c/memes/outbox | jq .       
{
  "error": "unknown",
  "message": "Record not found"
}

with

curl --header 'accept: application/json' https://lemmy.world/c/linuxmemes | jq -r .outbox      
=> https://lemmy.world/c/linuxmemes/outbox          
curl --header 'accept: application/json' https://lemmy.world/c/linuxmemes/outbox | jq .orderedItems[0]   
{   
    "id": "https://lemmy.world/activities/announce/create/0223f939-aafc-4215-9c20-a3460c967f63" 
    ... (the rest of the most recent post from linux memes)
}

(I came across this randomly, so I don't know if 'memes' is the only community missing an outbox. Others I've tried have been OK though)

Hello again,

February's finally over, so 4 Frame memes are old news. Now, for March, memes with rhymes in them are what's required to get Featured in the Community.

This one will be stickied until a new meme with (ideally terrible) rhymes in and [ILPM] somewhere in the title is submitted, and then the new post will be stickied instead (it's a manual affair atm, so it won't be instant)

Thanks!