As if telling Reddit, Facebook, or Google what to put on their roadmap as an ordinary consumer would actually work.

At least with FLOSS if you want something, and if it is a good thing the developers like, you can likely get it merged. If not, you can fork and still have the feature locally. Good luck getting that freedom with a closed-source product.

For software I develop, I do find it is helpful if people making feature suggestions tell developers what is useful for them and why, but that doesn’t entitle them any of my time to demand what features I prioritise. The alternative is “I gave you something you like for free, so now I owe you to make it even better for you”, which is obviously nonsense.

If you have control of the domain, you can also get an X.509 certificate from any CA (e.g. for free from LetsEncrypt). Then you can put up a new server on that domain with a valid cert. If that server supports ActivityPub, it can provide new public keys for private keys you control for all users on the server, and can use the corresponding private keys to sign messages from any user on that server to any community those users are still subscribed to. In addition, any users on other servers still posting to / interacting with communities on that server would cause their server to send that to the inbox on the new server.

This means any usernames or communities on queer.af should no longer be trusted.

Yeah everyone using Cloudflare is definitely centralisation, but maybe a kind of centralisation that allows for easier switching to something else if Cloudflare gets too crazy.

DDoS is a war of attrition - and the best way to win a war of attrition is to make it cost much more than $1 to make you spend $1, and to be able to outspend the attackers (e.g. the whole community bands together to support the victims against the attacker). I think the best response depends on who is attacking.

Network level DDoS is likely using stolen bandwidth - but the person directing the attack is probably paying someone for the use of it (i.e. they didn’t compromise the equipment themselves, someone else builds botnets and rents them out). If you can identify what traffic is part of a DDoS, you can track down where it is coming from, and alert the owner of the network where it is coming from, which hurts the person providing the services to the attacker quite a lot. If I have a reputation of: if you attack me for someone else, I’ll cost you a significant part of your business that will take you months to build back up, then you are not going to offer that service cheaply, or even at all.

Application level DDoS usually relies on amplification of cost - I do something relatively inexpensive (like send a packet opening a connection), and it makes you do something really expensive involving databases, disk IO etc…; a good mitigation is to redesign the API to flip that on its head, so you do something expensive, and I do something relatively cheaper for you. There is an open issue about using Hashcash to do just that at: https://github.com/LemmyNet/lemmy/issues/3204 - the downside is that it forces users (even on mobile devices) to use more compute / power for every request to Lemmy, but I think there is a balance that can be struck there where it isn’t too bad for users, but makes that type of attack infeasible.