Conversation

Notices

Embed this notice
Pawlicker (purpcat@clubcyberia.co)'s status on Sunday, 01-Oct-2023 06:53:50 JST Pawlicker

The fediverse didn't thrive because of instance blocks but in spite of them.

Unfortunately the signed fetch Mafia thinks that seeing blocklists is bad and then the users complain because of the lack of transparency 🤣

In conversation Sunday, 01-Oct-2023 06:53:50 JST from clubcyberia.co permalink
- Embed this notice
  Flaky (flaky@awoo.fyi)'s status on Sunday, 01-Oct-2023 06:53:49 JST Flaky
  in reply to
  
  @PurpCat 1. The fuck is signed fetch
  
  2. Personally I’d rather see the blocklist than not. I have anecdotal proof of people not joining fedi due to the blocklist drama.
  
  In conversation Sunday, 01-Oct-2023 06:53:49 JST permalink
- Embed this notice
  Pawlicker (purpcat@clubcyberia.co)'s status on Sunday, 01-Oct-2023 06:53:49 JST Pawlicker
  in reply to
  - Flaky
  @Flaky I think @mint can explain a signed fetch better than I can but it's more fedi "privacy through obscurity".
  
  Essentially the Akkoma/Firefish/Mastodon people have been pushing for this by default because it allows for a larger hugbox.
  
  https://fedi.tips/authorized-fetch/
  
  It doesn't actually work because a bunch of people on say instances like cum.salon have found ways to bypass it.
  In conversation Sunday, 01-Oct-2023 06:53:49 JST permalink
  Attachments
  1. Domain not in remote thumbnail source whitelist: fedi.tips
    
    “Authorized Fetch”
    
    from FediTips
    
    An unofficial guide to using Mastodon and the Fediverse
  likes this.
- Embed this notice
  (mint@ryona.agency)'s status on Sunday, 01-Oct-2023 06:59:37 JST
  in reply to
  - Flaky
  @PurpCat @Flaky Basically, every ActivityPub instance uses HTTP signatures provided by other instances to verify that new messages actually come from said instances, this is normal since otherwise anyone with a copy of curl could forge them. Signed fetches extend this to GET requests for objects/activities as well which is retarded since once the message leaves your instance, you have no control over it anyway: people can just go to your instance if API isn't locked, and if it is, go to the neighboring one.
  
  In conversation Sunday, 01-Oct-2023 06:59:37 JST permalink
- Embed this notice
  (mint@ryona.agency)'s status on Sunday, 01-Oct-2023 07:00:36 JST
  in reply to
  - Flaky
  - :marseyloadingneon: m0xEE :marseyloading:
  @m0xEE @Flaky @PurpCat Or this: https://gitgud.io/ryonagency/pleroma/-/commit/d7fca9df32f4f083779371a3f843285188372ba6
  In conversation Sunday, 01-Oct-2023 07:00:36 JST permalink
  Attachments
  1. Domain not in remote thumbnail source whitelist: gitgud.io
    
    Signed fetches spoofing (d7fca9df) · Commits · Ryona Agency / Pleroma · GitLab
    
    Fork of Pleroma used on ryona.agency; contains only small specific changes
- Embed this notice
  :marseyloadingneon: m0xEE :marseyloading: (m0xee@breloma.m0xee.net)'s status on Sunday, 01-Oct-2023 07:00:38 JST :marseyloadingneon: m0xEE :marseyloading:
  in reply to
  - Flaky
  @PurpCat @Flaky @mint
  Ways like this: https://gitea.moe/lamp/activitypub-proxy :marseywink:
  In conversation Sunday, 01-Oct-2023 07:00:38 JST permalink
  Attachments
  1. Domain not in remote thumbnail source whitelist: secure.gravatar.com
    
    activitypub-proxy
    
    from lamp
    
    Circumvent collateral fediblockage

Public

Conversation

Notices

Feeds