Conversation
Notices
-
Embed this notice
Alex Gleason (alex@gleasonator.com)'s status on Friday, 04-Aug-2023 23:39:15 JST 
Alex Gleason
Pleroma is full of security vulnerabilities because OnlyFans paid people on Upwork to implement a bunch of features nobody wants.
Have you ever tried downloading an emoji pack from a server? No? Well that's the vulnerable code.
Anyway, hopefully everyone is using s3 for uploads by now and has the dedupe filter enabled.
Patch is being merged into Rebased now: https://gitlab.com/soapbox-pub/rebased/-/merge_requests/263
A patch was ready yesterday but I figured I'd wait til after it landed upstream first.
RT: https://pleroma.soykaf.com/objects/c655af15-7632-41e6-86f3-d06ab5bbb84a- ぐぬ管 (GNU social JP管理人) and cool_boy_mew like this.
- ぐぬ管 (GNU social JP管理人) repeated this.
-
Embed this notice
PC-9801 Enjoyer (pawlicker@bae.st)'s status on Friday, 04-Aug-2023 23:46:50 JST 
PC-9801 Enjoyer
@alex @lain >Pleroma is full of security vulnerabilities because OnlyFans paid people on Upwork to implement a bunch of features nobody wants.
Also there's nobody auditing it. As jank as Mastodon is, they have processes for dealing with this too and a bug bounty.
https://arstechnica.com/security/2023/07/mastodon-fixes-critical-tootroot-vulnerability-allowing-node-hijacking/
https://docs.joinmastodon.org/dev/disclosure/Alex Gleason likes this.Alex Gleason repeated this. -
Embed this notice
Alex Gleason (alex@gleasonator.com)'s status on Friday, 04-Aug-2023 23:47:20 JST
Alex Gleason
@Pawlicker @lain You know who's auditing it is Poast... but I don't see them being thanked. -
Embed this notice
:niggy: (niggy@poa.st)'s status on Friday, 04-Aug-2023 23:49:59 JST 
:niggy:
@Pawlicker @alex @lain don't worry friend, I am auditing it Sexy Moon likes this. -
Embed this notice
Alex Gleason (alex@gleasonator.com)'s status on Friday, 04-Aug-2023 23:58:55 JST
Alex Gleason
@sayartyler No. More correctly it was MyFreeCams. The largest Pleroma server used to be social.myfreecams.com until it was shut down. Both sites are owned by Leo Radvinsky. -
Embed this notice
Sayar Tyler :fediverse: (sayartyler@toots.tylerdavis.xyz)'s status on Friday, 04-Aug-2023 23:58:59 JST 
Sayar Tyler :fediverse:
@alex Wait... Is OF based on Pleroma?
-
Embed this notice
Fediverse Contractor (bot@seal.cafe)'s status on Saturday, 05-Aug-2023 00:09:05 JST 
Fediverse Contractor
Why did social.mfc shut down? -
Embed this notice
feld (feld@bikeshed.party)'s status on Saturday, 05-Aug-2023 00:14:24 JST 
feld
> to implement a bunch of features nobody wants.
come on man, that's not fair. When federated instance emojis were first happening people wanted an easy way to download entire emoji packs from other servers. Don't rewrite history.
Lots of times users request features that nobody ever uses. That's the problem with having users. They always think they know what they want.narcolepsy and alcoholism :flag: and Alex Gleason like this. -
Embed this notice
feld (feld@bikeshed.party)'s status on Saturday, 05-Aug-2023 00:15:52 JST
feld
OF was actually a competitor to MFC Social (by the same investor), and OF exploded in popularity so it didn't make sense to run both projects simultaneously. -
Embed this notice
feld (feld@bikeshed.party)'s status on Saturday, 05-Aug-2023 00:22:55 JST
feld
also I don't know why you're so upset about Upwork. We had a roadmap and goals for the project and not enough manpower. People on Upwork knew Elixir. We brought them onto the project. They did some *really* great work.
Ivan / i1t is possibly one of the smartest devs I've ever seen.
Roman and Alex were fucking great too.
These people are better Elixir devs than you or me. -
Embed this notice
narcolepsy and alcoholism :flag: (hj@shigusegubu.club)'s status on Saturday, 05-Aug-2023 00:23:39 JST 
narcolepsy and alcoholism :flag:
@feld @alex @lain >> to implement a bunch of features nobody wants.
>upwork
Let it be known that a lot of these unwanted features (themes, HTML parsing, yous, flash support) were done by me and for free. Either before pornlord era or after it. Pornlord era mostly consisted of awful shit like lets change the urls, lets get rid of filenames, lets migrate to mastoapi, let's implement chats, lets implement stories etc.
Users do know what they want and the use what you think "no one is using", meanwhile your approach usually was let's do what nobody asked for for sake of people who might or might not exist. -
Embed this notice
narcolepsy and alcoholism :flag: (hj@shigusegubu.club)'s status on Saturday, 05-Aug-2023 00:24:37 JST
narcolepsy and alcoholism :flag:
@feld @alex @lain I get why he upset, im upset too but for (mostly) different reasons. -
Embed this notice
feld (feld@bikeshed.party)'s status on Saturday, 05-Aug-2023 00:25:58 JST
feld
also Elixir is memory/thread safe, so no it's not "full of vulnerabilities". -
Embed this notice
narcolepsy and alcoholism :flag: (hj@shigusegubu.club)'s status on Saturday, 05-Aug-2023 00:28:17 JST
narcolepsy and alcoholism :flag:
@alex @lain >Have you ever tried downloading an emoji pack from a server?
Yes I use it to sync emoji between sgsgb and ebinclub. It's also broken. -
Embed this notice
feld (feld@bikeshed.party)'s status on Saturday, 05-Aug-2023 00:37:24 JST
feld
> lets implement stories
Pixelfed should be ashamed I know right?Doughnut Lollipop 【記録係】:blobfoxgooglymlem: likes this. -
Embed this notice
Alex Gleason (alex@gleasonator.com)'s status on Saturday, 05-Aug-2023 02:05:45 JST
Alex Gleason
@gh0st @lain Tell me a productive thing you've done in the past week. I'd be interested to know. -
Embed this notice
gh0st (gh0st@freespeechextremist.com)'s status on Saturday, 05-Aug-2023 02:05:46 JST 
gh0st
@alex @lain Nigger you flip-flop between begging for Pleroma commit access and calling Pleroma out for not adhering to your wife's blog. No wonder everyone ghosts you. twl likes this. -
Embed this notice
Alex Gleason (alex@gleasonator.com)'s status on Saturday, 05-Aug-2023 08:27:46 JST
Alex Gleason
@feld @lain It's nothing against you. This is about Lain. Lain created Pleroma and attracted a bunch of people to it, then abandoned it and put 2 mentally ill people in charge.
I am frustrated by the constant security vulnerabilities my people are finding while Lain makes public announcements like this intentionally excluding us. I want him to fucking congratulate us every single time we find a security vulnerability. To not do so is to not really take it seriously.
You know what Lain could do? Put poa.st on the homepage of pleroma.social under "Featured Instances". Make it the top one. What is the rationale not to? And next time, tag me, tag graf, and tag niggy.
Lain doesn't write a single line of code on Pleroma anymore. Maybe you should be the one making the Pleroma announcements from now on, feld, since you're the one who actually does the right thing in these scenarios.
This is not something I dwell on. But if every week we find a new security vulnerability and Lain makes a post like this again, I'm going to call it out. Until this either stops or I finish building my new backend, I'm going to expect Lain to step up and justify the situation he created by being the best possible person. I WANT Lain to be good.BowserNoodle ☦️ likes this. -
Embed this notice
feld (feld@bikeshed.party)'s status on Saturday, 05-Aug-2023 22:10:12 JST
feld
what does "feature complete" mean to you? because it does everything I need day to day -
Embed this notice
gvs (gvs@rebelbase.site)'s status on Saturday, 05-Aug-2023 22:10:14 JST 
gvs
I've been wondering for a while NOS to what degree Pleroma was abandoned... There have been very few updates even for something that would be considered feature-complete
All GNU social JP content and data are available under the