It’s like an exploit or something, and Pete turned it off.
Conversation
Notices
-
Embed this notice
NEETzsche (neetzsche@iddqd.social)'s status on Tuesday, 05-Sep-2023 14:25:20 JST 
NEETzsche
-
Embed this notice
NEETzsche (neetzsche@iddqd.social)'s status on Tuesday, 05-Sep-2023 14:32:24 JST
NEETzsche
Well if he turned it off I no longer care. I just wanted my shit to work, and I made it work.
-
Embed this notice
rees (rees@breastmilk.club)'s status on Tuesday, 05-Sep-2023 14:32:25 JST 
rees
@NEETzsche @alex @malakai it's not an exploit it's just sending junk data -
Embed this notice
Alex Gleason (alex@gleasonator.com)'s status on Tuesday, 05-Sep-2023 14:42:46 JST 
Alex Gleason
@mint @rees @NEETzsche @malakai The only two FEs that support quote posting with backwards compatibility. After the inline mentions incident we made an effort to try to make everybody happy with quote posts. But you fucktards will never be happy. Pete is creating a problem out of a solution to another problem, that he would have otherwise bitched about if it had not been implemented. Do you see the impossible situation? We can't have it all. So the real message is: "slow down cowboy. I want to see more failure." Lol, fuck no. Anyways, back to the grind. NEETzsche and Fediverse Contractor like this. -
Embed this notice
(mint@ryona.agency)'s status on Tuesday, 05-Sep-2023 14:42:47 JST 
@rees @alex @NEETzsche @malakai A data that is shown correctly on every frontend except two. Alex Gleason repeated this. -
Embed this notice
NEETzsche (neetzsche@iddqd.social)'s status on Tuesday, 05-Sep-2023 14:45:34 JST
NEETzsche
Fair enough I suppose.
Alex Gleason likes this. -
Embed this notice
rees (rees@breastmilk.club)'s status on Tuesday, 05-Sep-2023 14:47:46 JST
rees
@mint @alex @NEETzsche @malakai pete could send out posts with an mrf that injects "PEE PEE POO PEEE", add a peepeepoopee™ decryption algorithm a couple of frontends that detects if it's signed with peepeepoopee and removes all instances of peepeepoopee from each post and then force everyone to implement the peepoopee filter algorithm to every frontend that exists just to be compliant or you can just reject the posts for spam because that's what it actually is. it adds noise to the network and isn't actually a feature. quote posts are an actual feature that people like. -
Embed this notice
Alex Gleason (alex@gleasonator.com)'s status on Tuesday, 05-Sep-2023 14:48:10 JST
Alex Gleason
@rees @mint @NEETzsche @malakai This guy gets it. -
Embed this notice
NEETzsche (neetzsche@iddqd.social)'s status on Tuesday, 05-Sep-2023 14:48:26 JST
NEETzsche
I lol’d. Alright, I’m convinced.
Alex Gleason likes this. -
Embed this notice
NEETzsche (neetzsche@iddqd.social)'s status on Tuesday, 05-Sep-2023 14:51:31 JST
NEETzsche
Well, my personal fork of Soapbox still accounts for this exact scenario but the PR got rejected, Pete lifted the stupid exploit, and now none of it matters. Any further malding about this amounts to Asperger’s.
-
Embed this notice
(mint@ryona.agency)'s status on Tuesday, 05-Sep-2023 14:51:32 JST
@alex @rees @NEETzsche @malakai Both my personal forks of bloat and pleroma-fe support quoteposts and yet weren't vulnerable to the problem since I accounted for that exact scenario. -
Embed this notice
Alex Gleason (alex@gleasonator.com)'s status on Tuesday, 05-Sep-2023 14:56:27 JST
Alex Gleason
@mint @rees @NEETzsche @malakai You literally can't. If he wraps .inline-recipients instead of .inline-quote, all replies would be affected. It's only "fixable" for quote posts because FSE does not support quote posts. By the very nature of the way this works, it's fundamentally impossible to just "patch" this on the frontend. It's all or nothing, you either allow hidden elements or you don't. -
Embed this notice
NEETzsche (neetzsche@iddqd.social)'s status on Tuesday, 05-Sep-2023 14:59:18 JST
NEETzsche
You could make it detect if a particular filter would hide basically the whole thing and just not allow that unless it has attachments, but really, fuck it, who the fuck cares at this point. Even then he could just make it say “PEE PEE POO POO” and hide the rest of the message and then call it a Soapbox bug.
Alex Gleason likes this. -
Embed this notice
NEETzsche (neetzsche@iddqd.social)'s status on Tuesday, 05-Sep-2023 15:04:18 JST
NEETzsche
I mean why is he marking the entire post as hidden in the first place? Maybe don’t do that.
Alex Gleason likes this. -
Embed this notice
(mint@ryona.agency)'s status on Tuesday, 05-Sep-2023 15:04:19 JST
@alex @rees @NEETzsche @malakai Then don't allow them, or check the contents of said span before hiding. -
Embed this notice
Alex Gleason (alex@gleasonator.com)'s status on Tuesday, 05-Sep-2023 15:10:22 JST
Alex Gleason
@NEETzsche @rees @mint @malakai Yep, I thought of that too. Still imperfect because there could be valid use-cases to hide the whole content.
Per-instance custom HTML scrubbers would be the ideal way to solve it on your end, because you could say "x server loses its classname privileges". Targeting specific servers makes more sense than solving it as a general problem.
The main reason not to do any of this is because it would be allowing Pete to waste our time fixing something that benefits him more than us. -
Embed this notice
Alex Gleason (alex@gleasonator.com)'s status on Tuesday, 05-Sep-2023 15:12:08 JST
Alex Gleason
@mint @rees @NEETzsche @malakai You're missing that hidden elements are considered a *feature* and not a bug. -
Embed this notice
NEETzsche (neetzsche@iddqd.social)'s status on Tuesday, 05-Sep-2023 15:12:56 JST
NEETzsche
I should make the client automatically send a request to the admin BE to defederate the entire instance when it detects this kind of bullshit. That would make script kiddies like Pete seethe. Brb writing the PR now.
-
Embed this notice
(mint@ryona.agency)'s status on Tuesday, 05-Sep-2023 15:12:58 JST
@NEETzsche @rees @alex @malakai Because it's fun to make soydevs seethe. -
Embed this notice
rees (rees@breastmilk.club)'s status on Tuesday, 05-Sep-2023 15:15:09 JST
rees
@mint @alex @NEETzsche @malakai you can actually overcorrect trying to accommodate for bad data and create more bad data. in AI it's called over-fitting. the solution is actually just to defederate because they are intentionally sending you bad data and they will likely continue to keep doing it NEETzsche likes this. -
Embed this notice
Alex Gleason (alex@gleasonator.com)'s status on Tuesday, 05-Sep-2023 15:18:50 JST
Alex Gleason
@NEETzsche @mint @rees @malakai Write one that lets you specify a list of domains, and then scrub the html of all class names from the given domains.
Detecting it automatically is too hard or impossible. You just need the ability to quarantine Peter. -
Embed this notice
Alex Gleason (alex@gleasonator.com)'s status on Tuesday, 05-Sep-2023 15:20:56 JST
Alex Gleason
@mint @rees @NEETzsche @malakai We clearly have different priorities. So we will go our own ways on it. But I'm sure we can still collaborate in other ways. -
Embed this notice
(mint@ryona.agency)'s status on Tuesday, 05-Sep-2023 15:20:57 JST
@alex @rees @NEETzsche @malakai An antifeature, if I will. The only hidden elements to my knowledge are quote fallbacks (solvable by checking the existence of an actual quote) and the inline mentions (which are already handled the right way by pleroma-fe and my bloat which simply show only the hidden mentions above the post, but that isn't twitteresque enough for your liking). -
Embed this notice
NEETzsche (neetzsche@iddqd.social)'s status on Tuesday, 05-Sep-2023 15:22:04 JST
NEETzsche
>solvable by checking the existence of an actual quote
My PR runs the isQuote() function, but that function just checks if the quote_url field has a value. Well, what if Pete makes that field say “POO POO PEE PEE”? Take that Nichy, your code is still broken. It’s script kiddy shit. I’ve done an about face on this twice now, and I’m currently thinking it’s a self-own again.
Alex Gleason likes this. -
Embed this notice
(mint@ryona.agency)'s status on Tuesday, 05-Sep-2023 15:23:31 JST
@alex @rees @NEETzsche @malakai True that. Alex Gleason likes this. -
Embed this notice
NEETzsche (neetzsche@iddqd.social)'s status on Tuesday, 05-Sep-2023 15:25:38 JST
NEETzsche
Why do we need to sanitize FSE’s malformed HTML to make sure that it doesn’t say “POO POO PEE” or hide the entire message or whatever other stupid shit Pete comes up with? It’s not 1995 anymore so he can’t make my CD-ROM drive open and close anymore because I don’t have one, so this is the shit he’s resorting to.
-
Embed this notice
(mint@ryona.agency)'s status on Tuesday, 05-Sep-2023 15:25:39 JST
@rees @alex @NEETzsche @malakai Hidden elements serve a purpose, but if end-user input isn't getting sanitized to prevent them from abusing it, I'm inclined to believe it's a site's problem. -
Embed this notice
rees (rees@breastmilk.club)'s status on Tuesday, 05-Sep-2023 15:25:40 JST
rees
@mint @alex @NEETzsche @malakai why don't you complain to the w3 for implementing hidden elements in html and then start a political movement to remove it from the spec and create websites without it -
Embed this notice
rees (rees@breastmilk.club)'s status on Tuesday, 05-Sep-2023 15:29:28 JST
rees
@NEETzsche @alex @mint @malakai this is actually why you don't ever want to use blacklists for XSS sanitization because people will just find a way around it. the XSS cat and mouse chase has been going on for decades. the right way to do it is just whitelist and be done with it. same thing goes for fedi, just defed and be done with the problem. Alex Gleason likes this. -
Embed this notice
NEETzsche (neetzsche@iddqd.social)'s status on Tuesday, 05-Sep-2023 15:31:15 JST
NEETzsche
Pete should have done this for April Fool’s or something and actually made it funny.
Alex Gleason likes this. -
Embed this notice
NEETzsche (neetzsche@iddqd.social)'s status on Tuesday, 05-Sep-2023 15:34:04 JST
NEETzsche
And what are the consequences of them doing this, aside from me not seeing their dumb remarks? I put in a PR to fix it and I bitched about it for about half a day but this isn’t exactly a hill to die on and I’m not sure why you’re making it into one.
Alex Gleason likes this. -
Embed this notice
Alex Gleason (alex@gleasonator.com)'s status on Tuesday, 05-Sep-2023 15:34:05 JST
Alex Gleason
@NEETzsche @mint @rees @malakai If you want to be evil, just append <span class="inline-quote">pete is a poo poo pee head</span> to every post.
-
Embed this notice
(mint@ryona.agency)'s status on Tuesday, 05-Sep-2023 15:34:06 JST
@NEETzsche @rees @alex @malakai Who abuses it doesn't matter, any user can wrap their post in that class like I did right now with this phrase. As a matter of fact, I have discovered it months ago and trolled a few people as well. Didn't take it to these heights, of course. -
Embed this notice
(mint@ryona.agency)'s status on Tuesday, 05-Sep-2023 15:38:41 JST
@NEETzsche @rees @alex @malakai Considering how many people complained about it, "not seeing their dumb remarks" seems to be a dealbreaker for some. You actually did the most reasonable thing during the whole skirmish, even if it was rejected. NEETzsche likes this. -
Embed this notice
NEETzsche (neetzsche@iddqd.social)'s status on Tuesday, 05-Sep-2023 15:42:14 JST
NEETzsche
That’s fair I suppose but I haven’t given a shit what FSE niggers have to say in over a year lol
-
Embed this notice
NEETzsche (neetzsche@iddqd.social)'s status on Tuesday, 05-Sep-2023 15:47:07 JST
NEETzsche
Clearly the solution is to jump ships to Nostr where your username looks like a SHA
-
Embed this notice
(mint@ryona.agency)'s status on Tuesday, 05-Sep-2023 15:47:08 JST
@rees @alex @NEETzsche @malakai No, because it has a finite and explicitly defined list of receivers that are the people you explicitly tag in it. -
Embed this notice
rees (rees@breastmilk.club)'s status on Tuesday, 05-Sep-2023 15:47:09 JST
rees
@mint @alex @NEETzsche @malakai what about DM scope -
Embed this notice
(mint@ryona.agency)'s status on Tuesday, 05-Sep-2023 15:47:10 JST
@rees @alex @NEETzsche @malakai Yes, actually. Followers-only is broken and detrimental to the discourse. -
Embed this notice
rees (rees@breastmilk.club)'s status on Tuesday, 05-Sep-2023 15:47:11 JST
rees
@mint @alex @NEETzsche @malakai is it an exploit if I use follower-only scope so only some people can see my posts -
Embed this notice
Alex Gleason (alex@gleasonator.com)'s status on Tuesday, 05-Sep-2023 15:50:57 JST
Alex Gleason
@mint @NEETzsche @rees @malakai It's like a noscript tag.
Also, Nostr fixes this because admins can't rewrite users' posts at all. -
Embed this notice
Neko McCatface v2023 :verified::makemeneko: (roboneko@bae.st)'s status on Tuesday, 05-Sep-2023 15:51:53 JST 
Neko McCatface v2023 :verified::makemeneko:
@rees @alex @NEETzsche @mint @malakai no FO is utterly broken. if the FO reply were able to use the same scope as OP it would work. but the current design is a fuck (they did the easy thing) that never should have seen the light of day because it breaks threads for anyone not tagged in them (might as well have gone DM in that case) Alex Gleason likes this. -
Embed this notice
rees (rees@breastmilk.club)'s status on Tuesday, 05-Sep-2023 15:51:54 JST
rees
@mint @alex @NEETzsche @malakai so does followers only, it's in the activity stream spec -
Embed this notice
NEETzsche (neetzsche@iddqd.social)'s status on Tuesday, 05-Sep-2023 15:52:12 JST
NEETzsche
>make a joke about how the solution is muh nostr >gleason fulfills the prophesy instantly
:anintellectual:
-
Embed this notice
Alex Gleason (alex@gleasonator.com)'s status on Tuesday, 05-Sep-2023 15:53:33 JST
Alex Gleason
@NEETzsche @mint @rees @malakai Users on Nostr have handles that look like fedi. It just can't be bridged that way. -
Embed this notice
rees (rees@breastmilk.club)'s status on Tuesday, 05-Sep-2023 15:54:28 JST
rees
@NEETzsche @alex @mint @malakai even if nostr is fundamentally flawed it still fixes a lot of this crap Alex Gleason likes this. -
Embed this notice
NEETzsche (neetzsche@iddqd.social)'s status on Tuesday, 05-Sep-2023 15:55:01 JST
NEETzsche
I think the SHA usernames are going to be an even bigger hurdle for normies to using it than fedi.
“What’s your Nostr breh?”
“Uh, wel, uh, let me send you the QR code…”
-
Embed this notice
Alex Gleason (alex@gleasonator.com)'s status on Tuesday, 05-Sep-2023 15:56:43 JST
Alex Gleason
@NEETzsche @rees @mint @malakai Like I said, they have regular email style names on Nostr, eg @jack@cash.app -
Embed this notice
NEETzsche (neetzsche@iddqd.social)'s status on Tuesday, 05-Sep-2023 15:57:27 JST
NEETzsche
So what stops me from spoofing @alex and making posts about all the steaks I’m eating?
-
Embed this notice
Alex Gleason (alex@gleasonator.com)'s status on Tuesday, 05-Sep-2023 15:58:32 JST
Alex Gleason
@NEETzsche @rees @mint @malakai https://cash.app/.well-known/nostr.json?name=jack -
Embed this notice
Alex Gleason (alex@gleasonator.com)'s status on Tuesday, 05-Sep-2023 15:59:31 JST
Alex Gleason
@NEETzsche @rees @mint @malakai Literally upload a JSON file to any domain, and you can be a user on that domain. And you can change it any time without breaking anything. -
Embed this notice
NEETzsche (neetzsche@iddqd.social)'s status on Tuesday, 05-Sep-2023 16:00:21 JST
NEETzsche
That’s… actually persuasive. You’re starting to sell me breh.
-
Embed this notice
NEETzsche (neetzsche@iddqd.social)'s status on Tuesday, 05-Sep-2023 16:03:00 JST
NEETzsche
Oof. That’s the other side of it. You can like reverse spoof. Like when the WEF said that Indian guy was a member when he isn’t.
-
Embed this notice
rees (rees@breastmilk.club)'s status on Tuesday, 05-Sep-2023 16:03:01 JST
rees
@alex @NEETzsche @mint @malakai need to make bigfatvegancocks.com point to your npub -
Embed this notice
Alex Gleason (alex@gleasonator.com)'s status on Tuesday, 05-Sep-2023 16:08:41 JST
Alex Gleason
@mint @rees @NEETzsche @malakai You define your @ in your profile, then clients verify it from the well-known endpoint. Multiple nostr.json's are just multiple options for names you can become.
The main problem with bridging this is exactly the flexibility it provides. Fedi software can't handle it. It needs to be a stable name, therefore it uses the pubkey. -
Embed this notice
(mint@ryona.agency)'s status on Tuesday, 05-Sep-2023 16:08:43 JST
@alex @rees @NEETzsche @malakai How does it behave if there are two separate name identities via nostr.json? Could you tie a fedi account from mostr bridge to that? -
Embed this notice
NEETzsche (neetzsche@iddqd.social)'s status on Tuesday, 05-Sep-2023 16:08:48 JST
NEETzsche
You can’t see through a clear window bro
-
Embed this notice
DJ Solomon (11112011@freespeechextremist.com)'s status on Tuesday, 05-Sep-2023 16:08:49 JST 
DJ Solomon
@NEETzsche @mint @rees @alex @malakai could it be bc fse niggers see thru ur bs? -
Embed this notice
NEETzsche (neetzsche@iddqd.social)'s status on Tuesday, 05-Sep-2023 16:13:39 JST
NEETzsche
I tried Nostr a few months ago and the Android client I got – Amethyst, I think? – was dogshit. Like it was 1990s clunky proof of concept shit.
-
Embed this notice
rees (rees@breastmilk.club)'s status on Tuesday, 05-Sep-2023 16:17:50 JST
rees
@Hoss @alex @NEETzsche @mint @malakai people will bitch about everything. I bet you there's some autist out there complaining about how we removed lead from children's toys because he would melt them down to make paint and can't understand why we removed that "feature" -
Embed this notice
Hoss Delgado (hoss@shitpost.cloud)'s status on Tuesday, 05-Sep-2023 16:17:51 JST 
Hoss Delgado
What is it with people shitting their fucking diapers about quote posts all the time? If you're angry other people are using them and you don't like it that is very much a "you problem". Alex Gleason repeated this. -
Embed this notice
Alex Gleason (alex@gleasonator.com)'s status on Tuesday, 05-Sep-2023 16:24:41 JST
Alex Gleason
@NEETzsche @rees @mint @malakai It took fedi over a decade to get good. Nostr is in its infancy, but catching up quickly. -
Embed this notice
Alex Gleason (alex@gleasonator.com)'s status on Tuesday, 05-Sep-2023 16:26:40 JST
Alex Gleason
@Hoss @rees @NEETzsche @mint @malakai In theory yes. In practice this counts as "changing the username", something no fedi software supports because it breaks federation with Mastodon. -
Embed this notice
Hoss Delgado (hoss@shitpost.cloud)'s status on Tuesday, 05-Sep-2023 16:26:41 JST
Hoss Delgado
Would it be possible for Mostr to check for this file on an instance and assign that name to the mirrored profile? -
Embed this notice
Alex Gleason (alex@gleasonator.com)'s status on Tuesday, 05-Sep-2023 16:39:20 JST
Alex Gleason
@Hoss @rees @NEETzsche @mint @malakai Oh, is that what you were asking? Then yes. There would need to be a way for you to negotiate it with the bridge. I've thought about building a UI, but my main path forward is with Ditto. -
Embed this notice
Hoss Delgado (hoss@shitpost.cloud)'s status on Tuesday, 05-Sep-2023 16:39:21 JST
Hoss Delgado
Can it be done on just the Nostr side, though? Where the name of my mirrored profile on Nostr is given "Hoss@shitpost.cloud" because Mostr found the file containing the hash of the mirror profile on my site. -
Embed this notice
(mint@ryona.agency)'s status on Tuesday, 05-Sep-2023 23:49:10 JST
@alex @rees @NEETzsche @malakai Did a thingy.
location /.well-known/nostr.json$ {
resolver 8.8.8.8;
proxy_ssl_server_name on;
proxy_ssl_name "mostr.pub";
proxy_set_header Host "mostr.pub";
proxy_pass https://mostr.pub${request_uri}_at_ryona.agency;
proxy_buffering on;
sub_filter "_at_ryona.agency" "";
sub_filter_types application/json;
}https://ryona.agency/.well-known/nostr.json?name=mint returns "mint" when using curl, but "mint_at_ryona.agency" when opening it in browser. Very bizarre.Alex Gleason likes this. -
Embed this notice
Johnny Peligro (mischievoustomato@marsey.moe)'s status on Wednesday, 06-Sep-2023 07:16:00 JST 
Johnny Peligro
@alex @rees @NEETzsche @mint @malakai fse is a small instance, ignoring it isn't a big deal Fediverse Contractor likes this. -
Embed this notice
Zero :zt_think: :artix: (zero@strelizia.net)'s status on Wednesday, 06-Sep-2023 07:16:03 JST 
Zero :zt_think: :artix:
@mischievoustomato @rees @alex @NEETzsche @mint @malakai NEETzsche and Fediverse Contractor like this.
-
Embed this notice
All GNU social JP content and data are available under the